You receive an email from "accounts@microsoft.com" — except that "о" in microsoft is Cyrillic, not English. Your eyes see Microsoft. The email looks legitimate. You reset your password through their fake link, and they now control your account.

Human eyes cannot distinguish between these characters. They look identical. Only software scanning the actual character codes can detect the substitution.

Your eyes cannot detect this. Only software can.

You get an email that appears to be from your boss asking you to process a vendor payment. You reply with questions, they answer convincingly, and you send the wire. You had a whole email conversation. But every single reply went to a criminal in another country who was pretending to be your boss.

This attack is completely invisible in normal email use. The "From" line shows your boss's name and email. You have to manually inspect the email headers to see the reply-to mismatch — and nobody does that.

From: ceo@yourcompany.com

Reply-To: ceo-yourcompany@gmail.com

You think you're emailing your CEO. You're emailing a criminal who now has whatever you sent them.

An escrow officer gets an email from "the seller" asking to change the wiring instructions for their proceeds. The email address is off by one character — sara.milller@gmail.com instead of sara.miller@gmail.com. Who checks for three L's? The officer wires $380,000 to a criminal's account. Within hours, the money hops through a chain of banks and lands overseas. It's gone.

Most security tools compare against a generic database. We compare incoming emails against YOUR actual contacts. If you've emailed sara.miller@gmail.com before and suddenly get an email from sara.milller@gmail.com, we flag it immediately. The closer the match, the more likely it's an impersonation attempt.

Your inbox shows an email from "Chase Fraud Department." You open it, concerned about your account. But the actual sending address is xr7829@randomserver.net. You click the link, enter your banking login, and they drain your account.

We flag emails where the display name contains trusted company keywords or official-sounding phrases but the actual email domain doesn't match. If someone calls themselves "PayPal Support" but emails from a Gmail address, that's a red flag.

In your inbox: "Bank of America Security"

Actual address: xr77281@randomdomain.com

In your inbox: "DocuSign"

Actual address: notreal@spamserver.net

You receive an email saying "Your account will be suspended in 24 hours" or "Updated wire instructions — please confirm receipt." The urgency makes you act fast. You send money or credentials without verifying, and it's gone.

Over 90 phrases across six categories:

You get an email saying "Your DocuSign document is ready for signature." It looks real. The formatting matches what you've seen before. But the sender address is notifications@secure-doc-center.com, not docusign.com. You click, enter your credentials, and now they have access to your accounts — or worse, you wire money based on fraudulent instructions in the "document."

Or you receive a notice that your "driver's license renewal requires immediate action" from what looks like your state DMV. The sender? A random domain with no .gov address in sight.

When an email mentions a known brand or government agency, we check if the sender domain actually belongs to that organization. DocuSign only sends from @docusign.com and @docusign.net. PayPal only sends from @paypal.com. The IRS only sends from @irs.gov. Your state DMV only sends from .gov addresses.

If the email talks about one organization but comes from somewhere else, you'll see a warning.

A criminal sends an email that says it's from your bank. The display name looks right, the email address looks right, but the email was actually sent from a completely different server. The bank's authentication records say "we didn't send this" — but that information is hidden in the headers where nobody looks.

We check SPF, DKIM, and DMARC authentication results in every email's headers. If any of these checks fail, it means the email wasn't sent from an authorized server for that domain. We surface this invisible information as a clear warning so you don't have to dig through technical headers yourself.

These are commercial domains sold by private registrars. They have nothing to do with the countries they reference. Anyone in the world can register one.

These domains aren't inherently malicious, but when one is asking you to click a link, verify your account, or send money, it deserves extra scrutiny.

We analyze domain names for patterns that don't appear in legitimate business domains: no vowels, high ratios of numbers to letters, and chains of random-looking subdomains stacked together. Legitimate short abbreviations like msn.com and bbc.co.uk are excluded.

We analyze the username portion of the sender's email for patterns that don't look like real names or words. High ratios of consonants to vowels, excessive numbers mixed with letters, and strings with no recognizable structure all trigger detection.

We maintain a database of known disposable email providers. When an email arrives from one of these services, we flag it. Legitimate businesses and real people don't send emails from addresses designed to self-destruct.

We maintain a list of trusted email routing services. When an email is routed through a server NOT on our list — especially something random or suspicious — we flag it. Legitimate services like SendGrid, Mailchimp, Amazon SES, Google, and Microsoft won't trigger warnings.

If you're expecting wire instructions from your title company and the email comes from a foreign domain, that's critical information. Your bank shouldn't be emailing you from a different country. Your local escrow company doesn't operate overseas.

Instead of a generic warning, we identify the actual country of origin. You'll see exactly where the email came from, so you can decide if that makes sense for the context. We identify every country-code domain in the world — over 250 countries and territories.

We count the total recipients in the To and CC fields. When an email is sent to 10 or more people and contains content that should be personal — payment confirmations, account alerts, invoice notifications — we flag it. Real companies use BCC or marketing platforms. Scammers just dump addresses into the To field.

You receive an email saying "John Smith shared a document with you — View in OneDrive." The email looks identical to a real Microsoft notification. You click "View Document," enter your Microsoft credentials on what looks like a real login page, and now the attacker has full access to your email, files, and everything connected to your account.

We detect 18 common document-sharing phrases that scammers use to mimic real file-sharing services. When an email contains language like "shared a document with you," "view in OneDrive," or "click to access document" but the sender isn't from the legitimate platform, we flag it.

Some of the most dangerous phrases in a scam email tell you NOT to verify. "Don't call to verify — I'm in a meeting." "Do not contact your bank." "Please don't discuss this with anyone yet." When a real person needs you to act, they welcome verification. When a scammer does, they actively discourage it.

We detect 23 anti-verification phrases. If an email tries to stop you from verifying, that's one of the strongest signals that something is wrong.

Business Email Compromise (BEC) attacks mimic the way executives talk. "Handle this personally," "keep this between us," "I need this done before end of day," "I'm authorizing this directly." We detect 17 BEC-specific phrases that impersonate executive authority.

For real estate and financial transactions, scammers create fake urgency around closings. "Closing moved up to today," "wire must arrive today," "funding deadline moved up." We detect 20 closing-specific pressure phrases while carefully excluding routine business language that would cause false alarms.