
read receipts
The Email Header That Sends Your Reply Straight to a Thief
Business email compromise rarely bothers faking the sender. It just changes one field your inbox politely hides from you.
Here's a scam that costs American businesses more money than ransomware, malware, and data breaches combined, and it usually doesn't involve any malware at all. No malicious link. No infected attachment. Nothing for your antivirus to catch. Just an email that looks like it came from your CFO, and a reply that quietly goes somewhere else.
That somewhere else is the trick. And it lives in a header field almost no email client shows you.
The field is called Reply-To. It's been part of the internet mail standard since the beginning — RFC 5322 defines it as the address where responses "should" go, separate from the From address. In legitimate use it's boring and helpful. A newsletter sends from [email protected] but sets Reply-To to [email protected] so your questions land with a human. That's it. That's the honest job.
Business email compromise turns that convenience into a weapon. Instead of the hard, technical work of spoofing a From address — which trips SPF, DKIM, and DMARC alarms and gets flagged — the attacker just registers a lookalike domain or a throwaway Gmail. Then they set the display name to "Karen Vasquez, CFO" so your inbox shows a familiar human name in bold. The actual From address might be [email protected], but you don't see that; you see "Karen Vasquez." And crucially, they set the Reply-To to an address they control.
So you read the email. It's short, plausible, a little urgent. "Are you at your desk? I need you to process a wire before the bank closes." You hit reply. Your client, being helpful, addresses your response to the Reply-To — not the From. You're now talking to the attacker, and every message you send confirms you took the bait.
The scale here is not a rounding error. The FBI's Internet Crime Complaint Center logged $2.9 billion in reported BEC losses in 2023 alone, across more than 21,000 complaints. That's the reported number, from people who noticed and filed. The real figure is larger, because a wire that clears looks like a normal Tuesday until reconciliation.
What makes this maddening is how the defense is right there and hidden. Every mail client knows the Reply-To value. Almost none surface it. Gmail collapses the sender into a display name and a tiny caret you have to click. Outlook buries the real addresses under "View source" or a properties dialog most people have never opened. The one field that reveals the con is the one field the interface treats as clutter.
So train the habit. Before you reply to anything involving money, changed banking details, or urgency, expand the header. In Gmail, click the down-arrow next to the sender's name and read the actual "reply-to" line. If the From says one thing and the Reply-To points to a different mailbox, stop. That mismatch is rarely innocent in a finance email.
Better still, don't reply at all. Start a fresh message to the address you already have saved for that person, or pick up the phone and call a number you didn't get from the email. Attackers count on you staying inside the thread they built.
The grim elegance of this scam is that it passes every automated check by not breaking any rule. The From address is technically real. The domain authenticates fine. Nothing is forged. The lie isn't in the plumbing — it's in the one line your software decided you didn't need to see.
Sources
- FBI IC3 — 2023 Internet Crime Report, BEC loss figures
- IETF RFC 5322 — Internet Message Format spec defining the Reply-To header field
- CISA — Guidance on social engineering and verifying sender identity