The Email Header That Sends Your Reply Straight to a Thief
Business email compromise rarely bothers faking the sender. It just changes one field your inbox politely hides from you.
Archive
Every piece we have published — grounded and permanent. Newest first.
Business email compromise rarely bothers faking the sender. It just changes one field your inbox politely hides from you.
Your bank has DMARC. So does your airline. It's doing roughly nothing, and the setting that proves it is one word long.
The scam that drained $2.9 billion from American businesses last year didn't carry a single virus. It carried a subject line and a favor.
Adding +shop to your Gmail feels clever. A regex deletes it in milliseconds. Here's what actually gives you a kill switch.
The 'summarize this thread' button is the friendliest-looking attack surface in your inbox.
Your gym, your streaming app, and that meditation subscription you forgot about all share one design goal: make leaving harder than joining.
Half the newsletters in your inbox phone home the second you glance at them. Here's the invisible dot doing it, and the one toggle that blinds it.
Your security software gave it a green checkmark. That was the whole point.
Apple's Hide My Email hides your address. A unique alias does something better: it names the company that sold you out.
Real carriers don't email you a payment link to free your own package. That one request is the whole con.
Your bank statement hides recurring charges behind cryptic merchant names. Your email doesn't bother.
The model isn't a nosy intern skimming your love letters — it's a statistician betting on patterns, and that changes what you should actually worry about.