
read receipts
The Fake Invoice That Aced Every Spam Test
It came from a real company, passed every authentication check, and still tried to steal $48,000. Here's the line that gave it away.
A vendor you've paid a dozen times emails a fresh invoice. Same logo, same account manager, same polite sign-off. The only difference is one line buried in the email's header — and that line just rerouted your $48,000 payment to a stranger in another country.
This is the part of inbox fraud nobody warns you about: the dangerous invoices aren't the sloppy ones. They're the clean ones. A scammer who breaks into a real business email account doesn't have to forge anything. The mail goes out from the genuine domain, signed with genuine keys. SPF passes. DKIM passes. DMARC passes. Your spam filter shrugs and waves it through, because as far as the math is concerned, this is legitimate mail. It is. It's just being sent by the wrong human.
That's why business email compromise is the most expensive scam going, and it isn't close. The FBI's Internet Crime Complaint Center logged roughly $2.9 billion in BEC losses in 2023 alone — wire transfers that left on the strength of an email that looked, by every automated measure, completely fine. No malware. No dodgy link. Just a believable request to update payment details, sent from an inbox that had been quietly hijacked.
So if the spam score won't save you, what does?
Two header lines you can read in under a minute: Reply-To and Return-Path.
Here's the difference, in plain terms. The From address is what you see on the front of the envelope. The Return-Path is where bounce messages go if delivery fails — the technical "sender" the receiving server actually cares about. And Reply-To is the address your reply quietly gets sent to when you hit the button. As DMARC.org spells out, these can legitimately differ, which is exactly what makes them useful as a tell. On honest mail from a vendor, all three usually line up under the same domain. On a hijacked-account scam, the attacker often leaves the From untouched — it has to look real — but slips in a Reply-To pointing somewhere else. [email protected] on the front, [email protected] on the reply. Different domain. Sometimes off by a single character.
The attacker does this for a simple reason. They may control the compromised mailbox right now, but they don't want your reply landing back in the real owner's inbox, where the real employee might notice an invoice they never sent. So they redirect the conversation to an address they fully control. That redirect is the fingerprint.
Finding it takes about 20 seconds. In Outlook, open the message and use File → Properties to see the internet headers; Microsoft documents the full header format if you want to read every line. In Gmail, hit the three-dot menu and choose Show original. Scan for Reply-To: and Return-Path:. If either one points to a domain that isn't the sender's — or to a free webmail account when you'd expect a corporate one — stop. Don't reply to the email. Call the vendor on a number you already had, not one printed in the message.
None of this requires you to be technical. It requires you to be suspicious of exactly the emails that don't trip any alarms. A green checkmark from your filter means the message wasn't forged. It says nothing about who's holding the keys to the account that sent it.
The scams that drain accounts in 2024 don't look like scams. They look like Tuesday. The header is where the lie still has to live.
Sources
- FBI IC3 — 2023 Internet Crime Report, BEC loss figures
- Microsoft Learn — Email message header reference
- DMARC.org — Reply-To vs Return-Path and authentication FAQ