3.4 billion phishing emails are sent every day. The majority use domains with no DMARC enforcement — making them straightforward to spoof. Checking whether a domain is unprotected takes an attacker under a minute.
This article breaks down what actually happens when a business domain is impersonated, and what each category of damage costs.
How Email Spoofing Works
Email spoofing is the act of sending email that falsely claims to come from a domain you don't control. An attacker constructs an email with your domain in the "From" field — ceo@yourcompany.com or billing@yourcompany.com — and sends it to your customers, suppliers, or employees.
They don't need access to your systems. They don't need your password. They need one thing: the knowledge that your domain has no DMARC enforcement policy.
When DMARC is absent or set to p=none (monitoring only), receiving mail servers accept email from your domain regardless of whether it actually came from your servers. The spoofed email lands in the recipient's inbox looking exactly like legitimate communication from your business.
The Scenario: How It Plays Out
Consider a realistic incident:
A building contractor with 35 employees uses Google Workspace. Their DMARC record is p=none — set up by an IT contractor two years ago and never progressed beyond monitoring mode.
An attacker identifies the company online, finds the finance contact on LinkedIn, and confirms via a DMARC lookup that the domain is unprotected. The attacker sends an email to the company's three largest clients from accounts@thecontractor.com (spoofed), informing them that the company's bank details have changed. The email matches the contractor's email style and references real project names found on their website.
Two clients update their payment details. A combined $61,000 in payments goes to the attacker's account.
The fraud is discovered when the real accounts team calls to follow up on overdue invoices. By that point, the payments have cleared. Recovery is unlikely.
This scenario repeats thousands of times per year across small and mid-market businesses. The average loss across all BEC incidents for SMBs: $137,000+.
The Direct Financial Cost
Wire Fraud and Payment Diversion
The most common immediate loss. Spoofed emails that divert payments to attacker-controlled accounts. Wire transfers processed through SWIFT or ACH are difficult to reverse — especially once the receiving bank is outside your jurisdiction.
Recovery rates for wire fraud are low. FBI data consistently shows that less than half of wire fraud losses are recovered, and many are not recovered at all.
Fraudulent Invoice Payments
Attackers intercept or spoof billing communications to redirect invoice payments. A supplier relationship, a regular payment cadence, and a believable email from your domain is all that's needed.
Credential Theft Leading to Account Compromise
A spoofed email that prompts an employee to "log in to verify their account" captures credentials. The attacker uses those credentials to access your actual email account — where they may find banking details, HR data, client contracts, or further payment information to exploit.
The Blacklisting Cost
When your domain is used to send phishing or spam — even without your involvement — receiving mail servers flag it. Your sending IP and domain may end up on one or more email blacklists.
Average cost of blacklist-related email downtime: $17,700 per minute.
A serious blacklist listing (Spamhaus SBL, for example) can take days to resolve. During that time:
- Legitimate emails bounce
- Customer communications fail to deliver
- Sales sequences, support tickets, and invoices don't reach their recipients
- You have no way to contact affected parties by email
The operational disruption of a major blacklist incident often exceeds the direct fraud loss.
The Reputational Cost
When your domain sends phishing emails to your own customers — even without your knowledge — those customers associate the fraud with your brand.
Trust damage. Customers who receive a convincing spoofed email from your domain and are defrauded as a result hold your brand responsible. Even customers who weren't targeted but hear about the incident lose confidence.
Client churn. Businesses in your customer base — particularly those in regulated industries or with their own security requirements — may terminate relationships with vendors who have a demonstrated spoofing incident.
Supplier relationship strain. If spoofed emails target your suppliers (requesting changed payment details, for example), the relationship is damaged even if the fraud is discovered and resolved. Trust is hard to rebuild.
Reputational damage is nearly impossible to quantify precisely, but its effects persist long after the technical issue is resolved.
The Operational Cost
Incident response isn't free. After a spoofing attack:
IT investigation time. Determining what happened, how many emails were sent, which recipients were affected, and whether any systems were compromised. For a business without a dedicated security team, this typically falls on a senior IT contact or an external consultant.
Legal consultation. Assessing liability exposure, advising on notification obligations, and potentially pursuing recovery through legal channels. Depending on jurisdiction and the nature of the fraud, there may be notification requirements for affected customers.
Customer and partner communications. Warning affected parties, explaining what happened, providing guidance on what to do if they received a suspicious email. This requires staff time and may involve external PR support for larger incidents.
Banking and fraud reporting. Filing reports with your bank, law enforcement, and potentially regulatory bodies. Coordinating with receiving banks to attempt wire reversals.
For an SMB, a serious spoofing incident can consume 20–40 hours of management and IT time over 2–4 weeks — time that isn't being spent running the business.
The Preventable Part
Domain spoofing is one of the most preventable attack vectors in email security. The fix is a DNS record.
SPF, DKIM, and DMARC are the three authentication standards that, when correctly configured and enforced, make domain spoofing technically impossible. With DMARC at p=reject:
- Receiving mail servers reject emails from your domain that don't pass authentication
- Spoofed emails never reach recipients
- The attack vector is closed
The transition from p=none (monitoring only) to p=reject (full enforcement) takes 4–8 weeks following the phased approach. It requires no new software, no ongoing subscription, and no per-email cost.
For the step-by-step process, see the DMARC policy enforcement guide.
For the broader picture of how BEC attacks work and how SMBs are targeted, see what is business email compromise.
How to Check Your Current Exposure
A free Security Score check shows your DMARC policy status in seconds. If your policy is p=none or missing, your domain can be spoofed today.
The 94% statistic bears repeating: 94% of cyberattacks start with email. Domain spoofing is one of the most common entry points — and one of the few that can be blocked completely with the right configuration.
Run your free Security Score check — find out if your domain can be spoofed right now at EmailAudit.io
No account required. Results in seconds. If your domain is vulnerable, you'll know exactly what to fix.