A business owner had been emailing back and forth for two days with someone he thought was his customer's bookkeeper. They were sorting out an invoice. Twelve thousand dollars. Final email said: "All set, please send the wire to this updated account number."

He sent it. The money was gone in an hour.

When I saw the email conversation, nothing initially stood out. The sender's name said the bookkeeper's name. The email signature was the bookkeeper's signature. The thread had been going for days.

But when I opened up one of the original emails and looked at the technical details, I found something he'd never noticed: the From address was the bookkeeper's real email — but the Reply-To address was something completely different. A near-identical lookalike. Every reply he'd sent for the last 48 hours had been going straight to a scammer's inbox.

This is the Reply-To trick, and it's one of the most expensive scams hitting small businesses and ordinary people right now.

What "Reply-To" actually is

When you receive an email, there are actually two different addresses involved:

The From address says who sent it. This is the address you see at the top of the email.

The Reply-To address tells your email program where to send your reply when you hit the Reply button. By default, Reply-To is the same as From — your reply goes back to the person who sent it. That's how email is supposed to work.

But Reply-To can be set to anything. It's an optional field that's normally invisible to the reader. And scammers love it.

How the trick is run

In the most common version, scammers break into a real email account — usually a small business owner, a real estate agent, an accountant, or a contractor. They don't necessarily empty the inbox or send obviously fake messages. Instead, they sit quietly for days or weeks, reading the conversations.

When they spot a payment about to happen — an invoice being sent, a wire being arranged, a closing payment being scheduled — they jump in. Sometimes they send the fake email from the hacked account itself, with the Reply-To pointed at a lookalike address they control. Sometimes they "spoof" the From address entirely, so it looks like it came from the real person, while Reply-To points to their own inbox.

Either way, the victim hits Reply, types out their response, sends it, and never realizes the conversation has quietly forked. They're now talking to the scammer. The scammer answers in the same tone, the same writing style — sometimes even the same email signature, copied from earlier messages they read.

By the time the real money moves, nobody's the wiser.

How to check Reply-To on a real email

This is the part you can actually do today. Each email program shows the Reply-To field a little differently:

In Gmail (web): open an email, click the small downward arrow under the sender's name, and look for the "reply-to" line. If it doesn't match the From address, that's a red flag.

In Apple Mail on a Mac: open the email, then go to View > Message > All Headers. The Reply-To field will appear in the technical block at the top.

In Outlook (desktop): open the email and look at File > Properties, or right-click > Message Options. The "Internet headers" section will show Reply-To if there is one.

On a phone: most mobile email apps don't show Reply-To at all by default. Which is exactly why scammers love phones.

If Reply-To is missing, that's normal — it just means replies will go back to From. If Reply-To is present and matches From, that's also fine. If Reply-To is present and is different from From, treat the email as suspicious until proven otherwise.

When this scam shows up most

The Reply-To trick is brutal in three specific situations:

When you're closing on a house or sending a wire to a title company. The fake "updated wire instructions" email is one of the costliest scams in America right now — six-figure losses are routine. The FBI tracks this under "Business Email Compromise."

When you're paying an invoice for a contractor, lawyer, or accountant. Anyone you do business with by email is a potential target.

When you're communicating with anyone you've never met in person, especially around money.

If you're about to send a wire transfer based on instructions you got over email — any email, even from someone you trust — call the recipient on a phone number you already know to verify the wire details before sending. Not the number in the email signature. The number you have from before.

This single five-minute habit prevents nearly every Reply-To wire scam I've ever seen.

What to do if you've already replied to a fake email

The reply itself doesn't damage anything technical. You haven't installed a virus by hitting Reply. But the scammer now knows you're paying attention, and they'll try harder.

Stop replying immediately. Don't tell them you've figured it out — they'll just adjust. Instead, contact the real person through a different channel: phone, in-person, a text message to a number you already trust. Tell them their account or your conversation has been compromised, and verify any pending money decisions face-to-face.

If money has already moved, call your bank within the first 24 hours. Wire reversals get harder by the hour. Then file a report at ic3.gov, the FBI's online crime complaint center. Recovery is rare but not impossible, and the report helps law enforcement track the rings doing this.

Tomorrow

Tomorrow's post is the simplest, most useful habit in this whole series: hovering over a link before you click it. Three seconds, no software, no subscription — and it stops most email scams cold.

Friday I'm sending out the printable email-scam cheat sheet to email subscribers. Sign up here if you want it on your fridge.