How a Fake Bank Transfer Email Nearly Fooled Me

January 8, 2026

Even legitimate institutions can appear suspicious via email; verifying unusual requests prevents falling victim to spoofing attacks.

Email Security
Email Security
2
min read
How a Fake Bank Transfer Email Nearly Fooled Me

An elementary school my son attends sent me a bank transfer request via email.

It looked suspicious. The school communicates with parents exclusively through a dedicated mobile app or by phone.

The concern wasn’t only that the message came from a free Gmail account, despite the school having an official business email. There was no invoice and no link to a payment portal.

I was BCC’d, there was no personalization, and the bank details were pasted directly into the email body.

It looked like another wire fraud request I had received.

I decided to verify the request in person when picking up my son later that day. They confirmed it was legitimate.

I tried to explain the basics of spoofing and social-engineering attacks. They smiled.

I looked like the weird dad. I walked away.

Email Security
Spoofing
Cybersecurity
Related posts
All posts
Google.com Scam Sent via Gmail API - DMARC Passed, No Account Compromise

A scam email sent from @google.com passed SPF, DKIM, and DMARC without a compromised account. Here’s what it reveals about modern email threats.

Google.com Scam Sent via Gmail API - DMARC Passed, No Account Compromise
Email Security
When Vendors Control Your DNS: A Hidden DMARC Security Risk

A real-world example of how third-party DNS control can silently block DMARC visibility, redirect domain telemetry, and introduce serious email security and data exposure risks.

When Vendors Control Your DNS: A Hidden DMARC Security Risk
Email Security
2.3 million emails. One exposed API key. $10K bill.

How DMARC forensics exposed an API key leak, 2.3M unauthorized emails, and a $10K bill.

2.3 million emails. One exposed API key. $10K bill.
Email Security