How blind trust in email cost the world $55 billion

In 2015, employees at Ubiquiti Networks wired $46.7 million to overseas accounts after receiving emails that appeared to come from senior executives. Over 17 days, they authorized 14 transfers before anyone noticed. This wasn't a software exploit. The attackers simply took advantage of a flaw that has existed in email since 1982: SMTP doesn't verify who sent the message.

That Ubiquiti case wasn't an isolated incident. Between 2013 and 2024, the FBI's Internet Crime Complaint Center documented over $55 billion in losses from Business Email Compromise scams alone. All of them trace back to the same root cause: email was designed for a world where everyone could be trusted.

What you will learn

Why SMTP's original design made email forgery trivially easy
How each vulnerability led to a specific defense: open relays → filtering, sender forgery → SPF, message tampering → DKIM, alignment gaps → DMARC
How BEC scams escalated to $55 billion in cumulative losses over a decade
Why attackers keep finding new ways around each defense, and what that means for your domain

Email was built on trust

In 1971, Ray Tomlinson sent the first network email across ARPANET. By 1982, RFC 821 defined SMTP as the standard way to send messages between computers. The protocol was simple and completely trusting.

That made sense at the time. ARPANET connected a few hundred hosts, all operated by known research institutions. Nobody needed to verify identities because everybody already knew each other. SMTP reflected that reality:

  • No sender verification. The MAIL FROM command accepted any address without checking if the sender actually owned it.
  • No encryption. Messages traveled as plain text, readable by anyone on the network path.
  • No identity checks. The HELO command, where the sending server identifies itself, was accepted on faith.
# SMTP transaction (RFC 821, 1982) # Notice: the server accepts everything at face value S: 220 Simple Mail Transfer Service Ready C: HELO smith.office ← not verified S: 250 OK C: MAIL FROM:<smith@office> ← not verified S: 250 OK C: RCPT TO:<jones@remote> S: 250 OK C: DATA # Anyone could claim to be anyone

As RFC 5321 itself acknowledges: "SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else."

In other words, the protocol's own specification admits the flaw. SMTP was never designed for a hostile internet. But a hostile internet is exactly what it got.

How attackers exploited that trust

The history of email attacks follows a clear pattern. Each time attackers found a new way to exploit SMTP's blind trust, defenders built a countermeasure. Then attackers adapted, and the cycle repeated.

Phase 1: Open relays and the spam flood (1988-2002)

The first large-scale abuse came through open mail relays. By default, most SMTP servers in the 1990s would accept email from anyone and forward it to anyone else. Spammers discovered they could route millions of messages through these servers, hiding their identity and offloading the bandwidth costs onto their victims.

The scale was staggering. According to the Internet Mail Consortium, 55% of mail servers were open relays in 1998. By 2002, that number dropped below 1%, thanks to blocklists and configuration changes. But closing relays only solved the delivery problem. The identity problem remained wide open.

# Open relay exploitation (1990s) # Spammers used third-party servers to send millions of emails telnet mail.victim.com 25 220 mail.victim.com SMTP service ready HELO spammer.com 250 Hello spammer.com MAIL FROM:<[email protected]> ← no verification 250 OK RCPT TO:<[email protected]> 250 OK DATA From: Bill Gates <[email protected]> Subject: You've won! . 250 Message accepted for delivery # The victim's server forwarded the spam, no questions asked

Vulnerability → defense: Open relays let spammers hide behind legitimate servers. The response was relay restrictions and real-time blocklists (RBLs), which forced mail servers to refuse connections from known spam sources.

Phase 2: Sender forgery and the birth of SPF (2000-2007)

Closing open relays stopped spammers from hijacking other people's servers. But it didn't stop them from forging sender addresses. Anyone could still send an email claiming to come from [email protected], and the receiving server had no way to know the difference.

This is the fundamental SMTP vulnerability. The protocol has two separate sender fields, and they don't need to match:

# The two-sender problem in SMTP # These are completely independent, and both can be forged # 1. Envelope sender (used for routing, invisible to users) MAIL FROM:<[email protected]> # 2. Header sender (displayed in the inbox) From: CEO <[email protected]> # Your email client only shows #2 # The server routes based on #1 # Nothing forces them to match

In 2003, SPF (Sender Policy Framework) was proposed as a fix. Domain owners could publish a DNS record listing which IP addresses were authorized to send email on their behalf. If an email arrived from an unlisted IP, the receiving server could reject it.

SPF helped, but it only checked the envelope sender (MAIL FROM). Attackers quickly realized they could pass SPF by using their own domain in the envelope while forging the visible From header. The user still saw a trusted name in their inbox.

# SPF bypass: pass the check, fool the user MAIL FROM:<[email protected]> ← SPF checks this domain From: Your Bank <[email protected]> ← user sees this instead # SPF passes for attacker.com ✓ # But the user sees yourbank.com # No mechanism connects the two

Vulnerability → defense: Sender address forgery let attackers impersonate any domain. SPF (RFC 7208) responded by letting domain owners declare which servers can send their email. But SPF only validated the envelope, not what users saw.

Phase 3: Message tampering and DKIM (2007-2012)

While SPF answered the question "did this email come from an authorized server?", it said nothing about whether the message had been altered in transit. An attacker who intercepted an email could modify the content, change the reply-to address, or inject malicious links without breaking SPF validation.

DKIM (DomainKeys Identified Mail, RFC 4871, 2007) addressed this by adding cryptographic signatures. The sending server signs specific headers and the message body with a private key. The receiving server looks up the public key via DNS and verifies the signature.

DKIM proved that a message hadn't been tampered with and that a specific domain had signed it. But it had a similar gap to SPF: the signing domain didn't need to match the visible From address. An attacker could sign a forged email with their own domain's DKIM key and pass validation.

# DKIM bypass: valid signature, wrong domain DKIM-Signature: d=evil.com; s=default; h=from:to:subject; b=dGVzdCBzaWduYXR1cmUgZXhhbXBsZQ== From: Trusted Vendor <[email protected]> Subject: Invoice #12345 # DKIM validates for evil.com ✓ # User sees vendor.com # Without alignment, this passes authentication

Vulnerability → defense: Without signatures, recipients had no way to tell if a message had been altered in transit. DKIM (RFC 6376) fixed that with cryptographic proof of integrity. But like SPF, it couldn't enforce that the signing domain matched the visible sender.

Phase 4: The alignment gap and DMARC (2012-2015)

By 2012, email had two authentication mechanisms, and both could be bypassed by the same trick: using one domain for authentication while forging a different domain in the visible From header. SPF and DKIM each answered a useful question, but neither asked the critical one: does the authenticated domain match what the user actually sees?

DMARC (Domain-based Message Authentication, Reporting and Conformance) was developed by a coalition including Google, Microsoft, Yahoo, PayPal, and Bank of America to close this gap. Published as RFC 7489 in 2015, DMARC added what SPF and DKIM were missing:

  • Alignment. The authenticated domain (from SPF or DKIM) must match the domain in the visible From header. No more passing SPF with one domain while displaying another.
  • Policy enforcement. Domain owners can tell receiving servers what to do with messages that fail alignment: monitor (p=none), quarantine (p=quarantine), or reject (p=reject).
  • Reporting. Receiving servers send reports back to domain owners showing who is sending email using their domain, both legitimate services and attackers.

Vulnerability → defense: SPF and DKIM each validated a domain, but neither checked whether that domain matched the From header users see. DMARC (RFC 7489) requires that match, and lets domain owners decide what happens to messages that fail.

The $55 billion problem: Business Email Compromise

While defenders built authentication protocols, attackers shifted tactics. Rather than forging domains directly (which DMARC could block), they turned to social engineering. The result is Business Email Compromise. In 2024 alone, BEC cost victims $2.77 billion, more than any other category of cybercrime except investment fraud.

BEC works because it targets people, not protocols. An attacker studies a company's structure on LinkedIn, identifies the CFO's email patterns, and sends a request that looks like an internal communication. Sometimes they spoof the domain. Sometimes they register a lookalike (bigc0rp.com instead of bigcorp.com). Sometimes they compromise a legitimate account.

Real-world BEC attacks

In June 2014, the commodities trader Scoular Co. wired $17.2 million to a Chinese bank after its corporate controller received emails faked to appear from the CEO. In 2015, Ubiquiti Networks lost $46.7 million and toy maker Mattel lost $3 million to similar schemes. None of these required exploiting a software vulnerability. All of them exploited SMTP's inability to verify identity.

# Anatomy of a CEO fraud attack # Step 1: Reconnaissance (public information) Target: BigCorp Inc CEO: John Smith (LinkedIn) CFO: Mary Johnson (company website) CEO travel: London trip (social media post) # Step 2: Forged email From: John Smith <[email protected]> ← note: zero instead of 'o' To: Mary Johnson <[email protected]> Subject: Urgent - Confidential wire transfer needed Mary, I'm in meetings with London investors all day. Need you to wire $50K to close this deal. Account details attached. Keep this between us until I return. - John

BEC losses over time

Period Cumulative BEC losses Primary attack method What changed
Oct 2013 - Dec 2014 $179M Simple CEO impersonation FBI identifies BEC as emerging threat
Through 2016 $5.3B Vendor invoice fraud Supply chain targeting becomes common
Through 2019 $26B Real estate wire interception Attacks target high-value transactions
Through 2022 $43B AI-assisted impersonation Deepfake voice used for phone follow-ups
Through 2024 $55B+ Multi-channel attacks $2.77B in 2024 alone (FBI IC3)

Source: FBI IC3 Public Service Announcement, September 2024.

Modern attack techniques

Today's email attacks combine SMTP's structural weaknesses with social engineering and new technology. Even with SPF, DKIM, and DMARC deployed, attackers have adapted.

Lookalike domains

Instead of spoofing company.com directly (which DMARC can block), attackers register visually similar domains and set up full authentication for them:

# Attacker registers a lookalike domain with full authentication company-updates.com. MX 10 mail.company-updates.com. company-updates.com. TXT "v=spf1 a mx -all" company-updates.com. TXT "v=DMARC1; p=reject" # The email passes SPF, DKIM, and DMARC # because all three validate for the attacker's own domain # But the user sees "company-updates.com" and assumes it's legitimate

SPF record abuse

Overly permissive SPF records create unexpected attack surfaces. When a domain authorizes large shared email platforms, any customer of those platforms can potentially send email that passes SPF for the domain:

# Overly broad SPF record company.com. TXT "v=spf1 include:_spf.google.com include:mailgun.org include:sendgrid.net ~all" # Risk: compromising any account on these shared platforms # lets an attacker send SPF-passing email as company.com

AI-enhanced social engineering

Attackers now use AI to make their emails harder to spot:

  • AI-generated emails. Messages that mimic a specific person's writing style, with none of the spelling or grammar mistakes that used to give phishing away.
  • Voice cloning. Attackers synthesize a CEO's voice for phone calls that follow up on a fraudulent email. The recipient hears a familiar voice confirming the fake request.
  • Deepfake video. Video calls where an executive's face and voice are simulated in real time to authorize transfers.

Protocol-level vulnerabilities

Beyond social engineering, attackers continue to find technical weaknesses:

  • SMTP smuggling. Exploiting differences between SMTP implementations to bypass authentication checks.
  • DNS cache poisoning. Redirecting SPF, DKIM, or DMARC lookups to attacker-controlled records.
  • TLS downgrade attacks. Forcing connections back to unencrypted SMTP to intercept or modify messages in transit.

The defense stack today

Each vulnerability in email's history produced a specific defense. Together, they form a layered security model. NIST Special Publication 800-177 recommends that all organizations implement SPF, DKIM, and DMARC with an enforcement policy.

Vulnerability Defense What it checks Remaining gap
Open relays Relay restrictions, RBLs Is this server allowed to relay? Doesn't verify sender identity
Sender forgery SPF (RFC 7208) Is this IP authorized for this envelope domain? Doesn't check visible From header
Message tampering DKIM (RFC 6376) Was this message altered after signing? Signing domain can differ from From
Domain alignment gap DMARC (RFC 7489) Does the authenticated domain match the visible From? Doesn't prevent lookalike domains

Next steps

Email authentication is not a single switch you flip. Each layer exists because the previous one left a gap. The same pattern continues today, which is why monitoring your DMARC reports matters as much as setting up the records in the first place.

Continue with these guides to go deeper:

Sources

Was this page helpful? Send us feedback

Last updated: March 2026

← Back to Home Start now