• Saturday, November 29, 2025

What is happening?
Email fraud is becoming increasingly common in practice, where clients receive an apparently legitimate message with an attached PDF invoice. The format, visual appearance, and even the logos and signatures in the document look original. But the banking details — such as IBAN, SWIFT code or the beneficiary — are replaced with the fraudster’s information.

When the client reviews the invoice and makes the payment, the funds end up in the wrong account — often abroad — and are irreversibly lost.

How does this type of fraud happen?

Fraudsters use several methods:

  • Intercepting email through unprotected or compromised accounts

  • Using automatic forwards or filters that redirect and delete original messages

  • Creating fake senders (spoofing), with similar domains (for example: [email protected] instead of yourcompany.com)

  • Modifying original PDF invoices by inserting new banking details using malicious scripts

How to check if your email account is compromised (via cPanel)

If you use your email through GoHost.mk and cPanel, follow these steps:

Step 1: Check automatic forwards (Forwarders)

  • Log in to cPanel

  • Go to Email > Forwarders

  • Carefully review all entries. If you notice any forwards to unknown addresses, remove them immediately.

Step 2: Check email filters

  • In Email > Email Filters, select each active mailbox

  • Check whether there are rules that automatically delete or forward messages, especially those containing words like “фактура” (invoice), “invoice”, “payment”

Step 3: Review message activity and delivery

  • In Email > Track Delivery, review the logs of delivered and bounced emails

  • If you have root access via WHM or SSH, check the system logs:
    /var/log/exim_mainlog
    or
    /var/log/maillog

How to protect yourself from such attacks

1. Enable a secure connection (SSL) for email communication

Make sure your email clients (Outlook, Thunderbird, mobile devices) use:

  • IMAP port 993 with SSL

  • SMTP port 465 with SSL

Otherwise, data is sent unencrypted and can be intercepted.

2. Change passwords regularly and use strong combinations

  • Passwords should contain at least 12 characters, combining uppercase and lowercase letters, numbers and symbols

  • Never use the same password for multiple services

  • If you suspect compromise, change the password immediately and log out from all devices

3. Enable Two-Factor Authentication (2FA)

  • In cPanel > Security > Two-Factor Authentication

  • Scan the QR code with Google Authenticator or Authy

  • 2FA makes access significantly harder even if the password has been stolen

4. Remove unnecessary forwards and automations

  • Remove all forwarders you don’t use

  • Delete suspicious filters that may alter the content or delivery of messages

  • In a corporate environment, consider banning automatic forwarding as a security policy

5. Establish a security procedure before each payment

  • Check that the sender’s email address is correct (domain, spelling, style)

  • Do not download PDF invoices without prior verification

  • Confirm banking details by phone

  • Request an official document with a stamp or contract if there is any change in payment details

6. Scan your hosting for malicious software

Use the ImunifyAV tool (available with certain hosting packages at GoHost.mk). Regularly scan all mailboxes and web files for viruses, scripts and unauthorized access.

Pre-payment verification – 10-step checklist

  1. Confirm the authenticity of the sender

  2. Check the email address letter by letter

  3. Confirm the IBAN/SWIFT via an alternative channel

  4. Request an additional document (contract, confirmation)

  5. Check whether there is any forwarding or filters

  6. Open PDF invoices in protected/safe mode

  7. Never pay immediately – always verify first

  8. Apply dual control: two people before approval

  9. Keep the communication record as evidence

  10. In case of doubt, stop the transaction

Support from GoHost.mk

If you suspect that your email account has been compromised, or if you notice suspicious activity, contact our technical support immediately.

Conclusion

Email is an essential tool in modern business, but at the same time one of the most common targets for fraudsters. Therefore, do not rely on habit or blind trust — apply proven practices, security tools and discipline in every email communication related to money.

 

GoHost.mk is here to help you – whenever security is at stake.

Back