The 12 types of email fraud targeting businesses in 2026
Apr 2026 · 8 min read
Email fraud isn’t one thing. It’s a spectrum of attack patterns — each with different tactics, targets, and tells. Understanding what you’re looking at is the first step to knowing what to do about it.
Based on FBI IC3 data, ACFE methodology, and our own analysis of thousands of suspicious emails, here are the 12 attack patterns that FraudDecoder classifies and detects.
MO-01Vendor Payment Redirect
The attacker impersonates a known vendor and requests that future payments be sent to a new bank account. Often uses a lookalike domain (e.g., acme-corp.com vs acmecorp.com) and references real invoice numbers.
- Lookalike sender domain
- New bank details
- References real invoices
- "Updated payment instructions"
Average loss: $129,000 per incident (FBI IC3). The #1 BEC vector — 68% of vendor payment fraud involves bank detail changes.
MO-02Executive Impersonation
The attacker poses as the CEO, CFO, or another senior executive to authorize a wire transfer or override normal approval processes. Relies on authority pressure and urgency.
- CEO/CFO display name
- Free email provider or spoofed domain
- "Keep this confidential"
- Urgency + authority combination
The classic BEC scenario. Targets finance teams who are conditioned to act quickly on executive requests.
MO-03Payment Redirect / Bank Detail Change
A request to change vendor banking details in your master file. May come from a compromised vendor email or a spoofed sender. Often timed around actual payment runs.
- Bank detail change request
- New contact person
- Urgency before next payment run
- Subtle domain variations
CRITICAL risk. Once a wire is sent to a fraudulent account, recovery rates are below 22% (FBI IC3).
MO-04Urgency Exploitation
Creates false time pressure to bypass normal verification controls. "This must be processed by end of day" or "penalty fees will apply." Designed to prevent the recipient from checking.
- "ASAP", "immediately", "end of day"
- Penalty or consequence threats
- Unusually tight deadlines
- Pressure to skip normal process
Urgency is the #1 social engineering tactic across all BEC variants. It works because it overrides careful thinking.
MO-05Authority Exploitation
Leverages organizational hierarchy to prevent questioning. "I'm in a meeting, just process it." The attacker knows the recipient won't push back on someone senior.
- Name-dropping executives
- "Direct order" language
- "Do not discuss with anyone"
- Unusual request from authority figure
Particularly effective in hierarchical organizations where junior staff are reluctant to question senior leaders.
MO-06Advance-Fee Scheme
Requests upfront payment for a promised future benefit — a deposit, processing fee, or tax payment that must be paid before funds can be released.
- "Processing fee required"
- "Tax payment before release"
- Too-good-to-be-true offer
- Unknown entity requesting deposit
Part of $6.6B in investment fraud (FBI IC3 2024). Often targets companies expecting legitimate payments or refunds.
MO-07Credential Harvesting
Phishing for login credentials to financial systems, email accounts, or vendor portals. Uses fake login pages that mimic legitimate services.
- "Verify your account" language
- Suspicious login link
- Brand impersonation (bank, SaaS)
- Mismatched URL domain
193,407 complaints in 2024 — the most reported cybercrime. Average breach cost: $4.88M. Often the first step in a larger attack chain.
MO-08Data Exfiltration
Requests for sensitive data: W-2 forms, employee PII, financial records, or tax documents. Usually impersonates HR, executive leadership, or a tax authority.
- Bulk PII request
- "All employees" data request
- W-2 or tax document request
- Executive impersonation
Stolen employee data enables identity theft, tax fraud, and further targeted attacks against individuals.
MO-09Gift Card Scheme
Requests purchase of gift cards as a form of untraceable payment. Always impersonates an executive. "Buy 5x $200 Amazon gift cards and send me the codes."
- Gift card purchase request
- "Scratch off and send codes"
- "Keep this between us"
- Executive display name
Low dollar amount per incident but extremely common. Distinctive pattern — almost always detectable with the right signals.
MO-10Invoice Manipulation
Altered or fabricated invoices — changed bank details, inflated amounts, duplicate submissions, or invoices from shell companies for services never rendered.
- Altered PDF metadata
- Bank details don't match records
- Duplicate invoice number
- No matching PO or contract
58% of organizations affected. Average loss: $133,000. Particularly dangerous for services invoices without purchase orders.
MO-11Account Compromise
A legitimate vendor or employee email account has been taken over. The attacker sends requests that appear to come from a trusted, verified sender.
- Behavioral deviation from known sender
- Unusual request type or timing
- Tone or language changes
- New signature or contact details
Hardest to detect because the sender IS legitimate. Requires behavioral baseline comparison, not just sender verification.
MO-12Deepfake-Enhanced Social Engineering
AI-generated voice or video used to impersonate a known person, followed by email requests to authorize payments or share sensitive information.
- Email references recent "call" or "meeting"
- Request follows unusual phone/video contact
- Cross-channel verification failure
- AI-generated content indicators
+1,740% increase in deepfake fraud in North America (2022-2023). $200M+ in losses in Q1 2025 alone. An emerging and rapidly growing threat.
What to do when you spot one
Recognizing the pattern is step one. But knowing the attack type doesn’t tell you what to do about it. Each MO requires different verification steps, different escalation paths, and different prevention controls.
That’s what FraudDecoder does. Submit the suspicious email, get the attack classification, and receive specific next steps and controls — in seconds, not days.