On the afternoon of April 15, 2026, a Swiss industrial company received an email. Subject: “Procurement Proposal.” Sender: allegedly the CEO of an established Swiss industry association. The tone seemed plausible, the HTML signature was professional with a logo and address, and the mail server was technically authenticated. SPF: passed.
But here's the thing: the CEO in question never wrote that email.
What looked like an ordinary business inquiry at first glance turned out to be a Business Email Compromise —one of the most lucrative forms of fraud of the past decade. The FBI estimates that reported BEC losses worldwide between October 2013 and December 2023 total approximately $55 billion. And the trick that made this particular case especially insidious lay in a single letter.
One letter that changes everything
Let’s consider an illustrative example:
- Legitimate:
swisscompany.ch - Fraudulent:
swlsscompany.ch
The lowercase "i" has been replaced by a lowercase "L." In most sans-serif fonts—which are the ones used by default in Outlook, Gmail, and Apple Mail—the difference is practically indistinguishable to the naked eye. This technique is called confusable-character typosquatting: attackers register a domain that looks identical to the original but technically has its own identity—with its own email infrastructure, its own SPF record, and its own certificates. To mail servers, the fake domain appears completely legitimate. To the human eye, it is indistinguishable from the original.
This exact pattern was used in the present case. The perpetrator had set up a legitimate email account with an Indian hosting provider (PDR/Directi, Mailhostbox), assumed the identity of the association’s CEO, and began sending targeted emails to business partners. At least five cases involving companies in Switzerland, Germany, and the United States have been documented. The classic BEC process involves: a friendly initial contact with a harmless pretext, followed by building trust, and then an “urgent” invoice with a changed IBAN or a request for advance payment.
A brief moment of panic
An attack of this kind rarely strikes an organization during quiet weeks. At the time, the association in question was in the midst of intense preparations for a major industry event—the exhibition hall, sponsorship, the program, and thousands of registered attendees. Right in the middle of all this, the first reports from affected business partners began to pour in.
The first question was obvious: “Has our mail server been hacked?” This was followed by concerns about a data breach and the obligation to report it under the Data Protection Act.
Valid questions—and ones that people are reluctant to ask, especially during an already intense preparation phase. The good news: thanks to the already established anti-scam infrastructure and the well-coordinated reporting chain between the association and our support team, these issues were quickly resolved. A look at the original headers clearly showed: no compromise of the genuine domain, no compromised mailboxes, no data leaks. An external, fake domain—bad enough, but with clear boundaries. This assessment gave the CEO team the peace of mind to continue focusing on the event, while we simultaneously set up the takedown chain.
Our Abuse Handling Process
We have been supporting this association for years—from its website and CRM system to defending against phishing and scam campaigns related to its events. Once the evidence regarding the typosquat domain was in, it was clear: this case didn’t belong in a support ticket, but rather required a structured incident response.
1. Forensic analysis of the raw data
The company in question provided us with the original—.eml-file is available—including all SMTP headers. This is the crucial evidence: a screenshot or a forwarded email is not sufficient. Only the complete source file provides the necessary evidence for the registrar and email host.
From the headers, we gathered that:
- Sending MTA:
us2.outbound.mailhostbox.com(IP 208.91.198.44) – an SMTP relay from PDR/Directi - Authentication: SPF passes (the attackers control the typosquat domain themselves and were able to set a matching record), DKIM is missing, DMARC is not published
- Message-ID: a valid hash for the spoofed domain – proof that the email was sent from that domain in the normal way
- Submission source: internal network
10.25.144.110from the email provider – not spoofing, but a deliberately created, properly authenticated account
Particularly insightful were Artifacts in the HTML signature: Remnants from an external template – a company logo with matching alt-An attribute from a completely different industry and an empty placeholder in the middle of the address bar. These are unmistakable traces of a signature template previously used in other BEC campaigns targeting different organizations—a forensic fingerprint linking this campaign to a broader group of active BEC operators.
2. Targeted abuse reports to the appropriate departments
BEC is a multi-front battle. A generic message sent to “somewhere” rarely achieves anything. We prioritized who we contact, in what order, and with what request:
| Recipient | Role in the offense | Our demand |
|---|---|---|
| Mailhostbox | Email provider – actively sends out emails | Block SMTP account |
| MonoVM | Reseller – has sold the domain | Obtaining customer data for law enforcement purposes |
| Key-Systems | Upstream Registrar – manages .org registrations | Deactivate domain |
| NCSC | Federal Office for Cybersecurity | Official Swiss Statement |
| Affected companies | Direct victims | Warning About Follow-Up Emails |
Each of these reports was tailored individually—with the correct forensic data, the appropriate legal basis, and a clearly justified request for action. A generic abuse report gets routed through the standard process and sits unread for weeks. A well-documented report containing the message ID, IP address, header excerpt, and evidence of damage is assigned to a case handler who can make a decision.
One detail that made all the difference in this case: The written report to the registrar was followed by a personal follow-up call. That conversation escalated the case internally—and thus moved it from a queue of hundreds of abuse emails to the desk of someone who could actually carry out the takedown.
3. Preservation of evidence for future use
Alongside the technical reports, we ensured that the perpetrator’s digital traces would not disappear with the takedown. Registration dates, payment records, and login IP addresses are disclosed by registrars only upon official request and are automatically deleted after a certain period of time. In our report to MonoVM, we therefore explicitly included a request for data preservation:
“Please retain all customer records related to the registration, including registration data, login IP addresses, payment records, and communication history, in case of a future formal request for disclosure.”
Whether this data will ever be requested is decided later—typically when a pattern of clear financial harm emerges from several individual cases and criminal prosecution becomes a real possibility. Without that sentence in the abuse report, the evidence would have long since disappeared by then.
The result
On April 16, 2026, at 11:21 UTC —less than 24 hours after we had compiled the first chain of evidence—Key-Systems GmbH deactivated the typosquat domain. Mailhostbox suspended the sender’s account. MonoVM confirmed that the data had been preserved. The NCSC opened an official case. The affected companies were warned directly before a second “follow-up” could take place.
The perpetrators will register the next lookalike domain—that’s part of their modus operandi. For us, therefore, the case is not closed but has been incorporated into our ongoing campaign monitoring.
Three factors that made the difference
Why was this takedown processed within 24 hours, when abuse reports usually sit unaddressed for days or weeks? Three factors came together:
1. Dedicated agency service built on an existing relationship. We know the association, its email infrastructure, its key events, and its internal processes. When the issue arose, we didn’t need to hold briefings—we were able to get to work right away. And when you’ve been supporting a client for years, you go the extra mile in a way you wouldn’t for an anonymous ticket.
2. Claude as a tool to streamline forensic analysis and content creation. Analyzing headers, searching for clues in templates, and drafting a clear, technically sound abuse report in a tone that registrars take seriously—the Anthropic AI assistant speeds up these tasks significantly. What used to take half a workday per report is now a matter of minutes—with greater consistency and fewer typos in the message IDs.
3. A personal phone call to the registrar. An email report is necessary, but often not enough. A brief phone call with the abuse team moved the case from the standard backlog to the escalation track. This isn’t a technical matter, but an interpersonal one—and that’s exactly why it’s so effective.
None of these three factors alone would have been enough. But together, they did the trick.
What you can take away from this case
Three points that apply to any organization with a well-known brand:
1. Typosquats cannot be prevented through technical means. Neither DMARC, SPF, nor DKIM can protect against a domain that simply looks similar—technically, it is completely legitimate. Protection lies in raising recipients’ awareness and, for high-profile brands, in defensive registration the most obvious lookalikes (.com, .ch, .co(variants with hyphens, variants with letters swapped). Typically in the low double-digit Swiss franc range per year per domain—negligible compared to the potential damage.
2. BEC prevention is a process, not a product. No spam filter can reliably identify a domain that is only an hour old and sent via a regularly authenticated account. What matters is that your organization knows who to contact when a suspicious email appears—internally (IT, finance department) and externally (agency, NCSC, registrar). Those who wait until an emergency to establish this process lose hours during which money is already in transit.
3. Raw forensic data is worth its weight in gold. Without the complete .emlWithout the file containing all headers, an abuse report is virtually useless. Employees should know how to export an email as the original source text in Outlook, Gmail, and Apple Mail—not as a screenshot, not as a forwarded message. A screenshot proves nothing; a .eml with intact headers proves everything.
If you experience an incident
We handle abuse cases for our clients—and, in urgent cases, also for organizations that otherwise lack a specialized point of contact. We conduct forensic analyses, draft abuse reports in a format that registrars and email service providers take seriously, coordinate escalation up to the NCSC, and preserve evidence for potential future criminal prosecution.
The sooner you report it, the greater the chance of getting it taken down before the second victim makes a payment.
This article describes a real-life case from April 2026. At the request of the association involved, the organization and individuals remain unnamed, as do the recipient companies directly affected. All technical details presented here are taken from the original SMTP headers and the abuse reports that were sent.
