ScamSpot for Business

Verify a vendor email before you act on it

Your inbox just got an email that claims to be from a known vendor, your CFO, or a customer asking for an unusual action: a wire, a vendor update, a credentials reset, a new contract. Before you act on it, paste the email below for a B2B-tuned BEC check.

This tool does NOT verify the sender's identity. It checks for sender-domain anomalies, lookalike impersonation patterns, urgency language, and known BEC indicators. The right next step is always to verify by phone or in person on a channel you trust, not a channel the email gave you.

Check this email Read FAQ

Quick answer

BEC succeeds when the sender looks familiar enough to skip verification

Business email compromise (BEC) ranges from outright spoofing (cfo@yourcompany.fake-domain.com) to hijacked real mailboxes. The fastest check: does the sender domain EXACTLY match the canonical vendor domain, and does the request fit the normal cadence and approval workflow for this contact?

Free scam check

Paste the suspicious vendor or executive email

The sample is a realistic CEO-fraud BEC. Replace it with the email subject, From line, body, and any signature. Include reply-to if it differs from the From address.

Sample loaded

Sender-domain verification basics

Email is trivial to spoof at the display-name level. The real signal is in the address and the headers.

  • Compare the From domain character-by-character against the canonical vendor or company domain. Lookalikes use extra letters (paypa1.com), missing letters (gogle.com), different TLDs (.co vs .com), or homoglyphs.
  • Check the Reply-To address. A different Reply-To than the From is one of the strongest BEC indicators.
  • Free-mail addresses (gmail, outlook, hotmail, yahoo) claiming to be from a corporate vendor or executive are a major red flag.
  • Check the raw email headers (Received, Return-Path, SPF, DKIM, DMARC). Most modern mail clients let you view raw source.
  • Display name spoofing: the visible name says 'Alex Chen, CEO' but the address is alex@unrelated-domain.com.

Impersonation indicators in the body

BEC content patterns are remarkably consistent. Watch for these.

  • Urgency: 'today', 'before 5pm', 'time-sensitive', 'in meetings all day'.
  • Confidentiality request: 'do not discuss this with anyone yet', 'keep this between us', 'announce publicly later'.
  • Pretext for unavailability: 'I am in meetings', 'on a flight', 'cannot take calls right now'.
  • Unusual payment instruction: new payee, new bank, new payment method, gift cards, crypto.
  • Bypass of normal approval workflow: 'just handle it', 'I have already approved', 'skip the usual process'.
  • Sign-off mismatch: 'Sent from my iPhone' from someone who never uses mobile, or formal sign-off from someone who is casual.
  • Subject line is generic and engagement-bait: 'Quick task', 'Are you free?', 'Need a favor'.

Verification protocol

Treat the email as untrusted until verified through a separate channel.

  • Call the sender on a phone number from your existing records, NOT a number in the email or its signature.
  • Walk over to their desk if you are colocated.
  • Send a fresh email to their known address (not Reply) and ask for confirmation.
  • If a wire is requested, require dual-control approval no matter who the sender appears to be.
  • Never act on payment, credential, or vendor changes based on email alone.
  • Preserve the suspicious email's raw source for IT and law enforcement.

Disclaimer

ScamSpot for Business provides risk indicators only. It does NOT verify vendors, bank accounts, or invoice legitimacy. Always call the vendor on an independently-verified phone number - never one in the suspicious email - before taking action.

  • Not a vendor verification service.
  • Not a bank-account ownership validator.
  • Not legal, financial, or compliance advice.
  • Report confirmed fraud to the FBI IC3 (ic3.gov) and the FTC (reportfraud.ftc.gov).

Example: CEO-fraud wire request

Input

I am in meetings all day - can you process a USD 18,500 wire to a new consultant before 5pm? Bank details to follow. Keep this confidential.

What to notice

  • Same-day urgency + unavailability + confidentiality = classic CEO-fraud BEC.
  • Verify by phone or in person on a channel you trust, not the email.
  • Dual-control approval is required regardless of who appears to be the sender.

Verify Vendor Email FAQ

Can a real CEO or vendor mailbox be compromised?

Yes. Even legitimate accounts can be hijacked. Treat any unusual payment, credential, or vendor change request with the same protocol regardless of sender identity.

What does DMARC failure mean?

DMARC failure means the sending domain does not authorize the server that sent the message. It is a strong signal of spoofing, though some legitimate forwarders also fail DMARC.

Should I reply to ask for confirmation?

Never reply to the suspicious email. If the mailbox is compromised, your reply goes to the attacker. Start a fresh email to the known address, or call.

What is display-name spoofing?

It is when the visible name in an email is set to look like a trusted contact ('Alex Chen, CEO') but the underlying email address is unrelated or attacker-controlled.

Does ScamSpot verify the sender?

No. ScamSpot for Business provides risk indicators only. It does NOT verify vendors, bank accounts, or invoice legitimacy. Always call the sender on an independently-verified phone number - never one in the suspicious email - before taking action.