Your Antivirus Never Stood a Chance Against a Blank Email — editorial illustration

read receipts

Your Antivirus Never Stood a Chance Against a Blank Email

The scam that drained $2.9 billion from American businesses last year didn't carry a single virus. It carried a subject line and a favor.

·3 min read

A payroll clerk at a mid-size firm gets an email from the CEO. No attachment. No link. Just five lines asking her to push an urgent wire to a new vendor before the noon cutoff, and please keep it quiet, we're closing the acquisition. She wires $180,000. The CEO never sent it. And every piece of security software the company paid for saw exactly nothing wrong, because there was nothing to see.

This is business email compromise, and it is the most expensive crime in your inbox by a wide margin. The FBI's Internet Crime Complaint Center logged $2.9 billion in reported BEC losses in 2023 alone. Ransomware, the thing everyone panics about, the thing with the skull graphics and the countdown timers? It clocked in at roughly $59.6 million in reported losses that same year. BEC beats it by a factor of nearly fifty. One of these gets headlines. The other gets your money.

The reason antivirus fails here is almost embarrassing. Malware scanners work by examining code — an attachment, an executable, a macro buried in a spreadsheet. They compare it against known-bad signatures or watch it behave in a sandbox. A BEC email hands them a plain-text note written in the tone of your boss. There is no payload to detonate. The weapon is a sentence.

Which means the defense can't be a scanner. It has to be a habit, and the habit lives in the headers.

Here's the tell most people never look for. The From field and the Reply-To field are two different things, and scammers exploit the gap. The From line shows a name and address you trust — [email protected], spelled correctly. But the moment you hit reply, the message quietly routes to ceo.finance@gmail-secure-mail.com or some throwaway domain the attacker actually controls. Your reply, with the wire confirmation, sails straight to the crook. The display name lied. The Reply-To told the truth.

So train yourself to expand the header before you act on any money request. In Gmail, click the little arrow under the sender name. In Outlook, open message details. If Reply-To doesn't match From, stop. If the domain is off by one character — rn posing as m, a .co where you expected .com — stop.

The more sophisticated version doesn't even bother spoofing your own domain. It impersonates a real vendor you already pay. The attacker sits on a compromised supplier account for weeks, reads the actual invoice thread, then emails at the perfect moment: "We've updated our banking details, please use the new account." This variant is brutal precisely because the email is authentic — it comes from the vendor's real, breached inbox. SPF, DKIM, and DMARC all pass cleanly, because the message genuinely originated where it claims to. Authentication confirms the sender. It can't confirm the sender's honesty.

That's the uncomfortable truth underneath all of this: the whole con runs on trust and hurry, two things no signature database can measure. A CEO who "never uses email like this" suddenly does. A vendor who's billed you the same way for three years suddenly changes accounts. The request always arrives with a reason you can't verify by noon.

So verify by another channel. Call the number you already have — not the one in the email. A ten-second phone call has undone six-figure wires more reliably than any product with a firewall in its name. The scammers are betting you won't pick up the phone. Prove them wrong.

Reported BEC losses in the U.S. in 2023 (FBI IC3)

Sources

  1. FBI IC32023 Internet Crime Report — BEC and ransomware loss figures
  2. CISAGuidance on BEC tactics and out-of-band verification
  3. M3AAWGEmail authentication (SPF/DKIM/DMARC) reference and best practices

All articles