SO Email Security
Share
AI-Powered Email security Defending inbox from phishing, BEC & account takeovers. Because ''Oops, i clicked it'' shouldn't cost millions.
06/05/2026
The McAfee renewal email claiming you owe $299 is not from McAfee.
A new wave of AI-powered fake antivirus renewal scams hit inboxes this week. Cybernews and ConsumerAffairs both reported it in the last three days. The latest versions use AI-generated content that is harder to spot than anything before: accurate branding, professional language, personalised details, and a convincing invoice.
Here is what they want you to do. Call the phone number in the email.
When you call, you reach a criminal call centre. They ask for your card details to process a refund. Or they ask you to install remote access software on your device. Or they make your bank balance appear to show a large deposit and ask you to return the excess via wire transfer or gift card. No deposit was made. The money you send is real.
McAfee has confirmed it will never ask you to call a phone number in an email. That is the tell. Every single one of these scams includes a phone number.
The sending address is the second tell. Check it, not the display name. Real McAfee emails do not come from Gmail or lookalike domains.
Ṣọ Mail catches the sending address mismatch and the invoice fraud pattern before the email reaches you. Free on iOS and Android at soemailsecurity.com
Save this. Someone you know has already received one of these.
Protection without retention.
She sent the payment. The invoice looked real. The account was not theirs.
This is exactly how invoice redirect fraud works. A fake invoice arrives by email. Same vendor name. Same format. Same tone. One thing changed: the bank account number. By the time anyone called to check, the money was already gone.
The attacker did not hack anything. They sent one email. That was enough.
Here is what most people do not know: your email filter did not flag it because there was nothing technically wrong with the email. No malicious link. No suspicious attachment. Just a PDF with the wrong account number and a sending address that was one character off the real vendor domain.
Nobody checks the sending address. That is the whole game.
Ṣọ Mail would have caught this before it ever reached her inbox.
Here is how. Ṣọ analyses every incoming email for sending address mismatches, lookalike domains, and invoice redirect patterns. The moment that email arrived, Ṣọ would have compared the sending address against the display name and the domain history. A domain registered recently pretending to be a known vendor does not pass that check. The email gets flagged before anyone opens it. Before anyone reads the invoice. Before anyone processes the payment.
Not after. Before.
If your business receives invoices by email, this video is about you. The only habit that stops it when the filter misses it: verify every banking detail change on a number you already had before that email arrived. Not the number in the email.
Download Ṣọ Mail free at soemailsecurity.com. iOS and Android.
Save this and send it to whoever handles payments in your business. 👇
Built for your privacy. Ṣọ never retains your email content.
Your email filter just let a $123,000 mistake through.
Invoice phishing does not spike at quarter end. It runs every single week because your accounts payable team processes invoices every single week. Hoxhunt tracked 50 million phishing attempts across four million users and found invoice scams in the top two attack categories every quarter without exception. The FBI logged $3.046 billion in BEC losses in 2025. Average loss per incident: $123,000.
Here is why your filter missed it.
The email had no malicious link. The attachment was a PDF from a vendor you already pay. The sender display name matched exactly. The sending address was one character off the real domain. Nobody checked. Nobody checks when seventeen invoices need clearing before noon and everything looks routine.
The PDF contained one thing: the wrong bank account number. Your filter had nothing to flag. The payment processed. The money went to a stranger.
One habit stops most of it. Any change to payment details gets verified on a phone number already in your contacts before that email arrived. Not the number in the email. A number you already knew. This single policy closes the gap no filter can fully close.
Ṣọ Mail catches the sending address mismatch and the invoice redirect pattern before the email ever reaches your inbox. Not after you open it. Before it arrives. Free on iOS and Android.
Download Ṣọ Mail at soemailsecurity.com. No credit card. No tech setup.
Save this and send it to whoever handles payments in your business.
Encrypted processing. Zero retention. Ṣọ Mail never retains your email content.
06/01/2026
Attackers do not take the first of the month off.
June starts the same way May ended. Invoices moving. Payment requests landing. Vendor emails arriving. And somewhere in that volume, one email that looks exactly like the rest but is not.
This is not a dramatic attack. It does not announce itself. It looks like a routine message from someone you already trust, arriving at the moment you are busiest and least likely to check twice.
One click on the wrong email can redirect a payment, hand over login credentials, or compromise a client relationship you spent years building. For freelancers and small businesses, there is no IT department to catch it after the fact.
Ṣọ Mail flags the threat before it reaches you. Sending address mismatches, lookalike domains, invoice redirect patterns, phishing signals. All caught before anyone on your team has to make a judgment call under pressure.
Start June with a safer inbox. Free at soemailsecurity.com. No credit card, no tech setup.
Save this and send it to someone running a small business. 👇
Encrypted in. Encrypted out. Nothing kept in the middle.
05/27/2026
Every phishing email that works is built from the same 7 structural elements.
Not the same words. The same blueprint.
Here is what those 7 elements are and what each one is doing to you:
Trusted sender identity. The display name is right. The sending address is not. Your brain reads the name and stops there.
Plausible pretext. The email references something you are already expecting or worried about. It does not need to be original. It needs to feel relevant to you right now.
Manufactured urgency. Urgency eliminates the time you need to verify. Delay is made to feel like the greater risk.
Authority signal. A CEO, a government agency, legal language, a compliance deadline. Authority makes compliance feel like the correct, professional response.
Single required action. Click. Call. Scan. Open. One thing. Simple enough that it does not feel suspicious.
Friction-reduced path. The link goes straight to a page that looks exactly like the real site. The barrier to compliance is as low as possible.
Cover story for anomalies. This is the most dangerous one. The email explains, in advance, why something feels unusual. By the time your brain registers the anomaly, the explanation is already waiting.
82.6% of phishing emails now contain AI-generated elements. The visual tells are gone. The structure is not.
Ṣọ analyses the structural signals behind every email before it reaches your inbox. Free to start at soemailsecurity.com
Save this and share it with your team.
AI-powered protection, zero data retention. That is the Ṣọ promise.
05/22/2026
The email said it came from Google. It passed every security check. It still stole 30,000 Facebook business accounts.
Researchers this month exposed a phishing operation run by a Vietnamese-linked group that found a way to send phishing emails through Google’s own infrastructure. They used a legitimate Google tool called AppSheet, which allows the sender name on outgoing emails to be customised. The sending address looked exactly like a real Google notification. Technically, it was one.
The emails warned recipients about Facebook policy violations and copyright complaints. Urgent language. Official branding. A link to resolve the issue immediately.
That link went to a credential harvesting page. Victims logged in thinking they were verifying their Facebook account. The attackers took their credentials and walked away with their pages, advertising accounts, and business profiles. Those accounts are now being resold or used to run fraudulent ad campaigns at scale.
30,000 accounts. The campaign is still active.
Here is what this means for anyone who runs a page or a business that depends on social media.
Standard email security checks the sender. It asks: is this address real, is the domain authenticated, does the infrastructure match? For this attack, every answer came back clean. Because the infrastructure was genuinely Google’s.
The check that would have stopped it is different. It is not about who sent the email. It is about where the link inside actually goes.
Ṣọ analyses link destinations and email content regardless of how the sending address looks. A redirect that ends at a credential harvester is flagged before you click, even when the email originated from a trusted platform.
Free to start at soemailsecurity.com. No credit card, no tech setup required.
Save this. Every business with a page needs to see it. 👇
Protecting your inbox without ever reading it.
A dangerous email does not always need a bad link.
Sometimes, the trap is hidden in the Reply-To address.
The sender may look trusted, but your reply could go to an attacker.
Before you reply, approve, or pay, check first.
ṢỌ Email Security.
One engine. Every threat in email.
An Israeli startup lost $1M to a single typo. Not their typo. The attacker’s.
In 2019, a Chinese VC firm wired $1M in seed funding to what they believed was an Israeli startup. The money never arrived.
The attacker hadn’t compromised either email account or deployed malware. They had registered two lookalike domains, one for each side of the transaction, each with one extra letter at the end. Every email went to the attacker first, who edited the content and forwarded it onward.
Two parties having a conversation through a translator who happened to be a thief.
Why SPF, DKIM, and DMARC don’t catch this:
Authentication standards detect spoofing of YOUR domain. They cannot detect a DIFFERENT domain that looks similar. The attacker configures these on their own lookalike domain. All three pass cleanly.
Five attack variants:
→ Typosquatting (gooogle.com, amaz0n.com)
→ Character substitution (rn for m, 0 for o)
→ Homoglyph attacks (Cyrillic chars that look identical to Latin)
→ Combo-squatting (paypal-secure.com)
→ TLD substitution (paypal.co instead of paypal.com)
The verification habit that catches them:
Inspect the FULL sender address, not the display name
Look for extra letters, character swaps, alternate TLDs
For financial requests, phone-verify at a number you already have
Establish vendor verification protocols up front
Use automated lookalike domain detection
Documented cases: Florentine Banker hit 3 British PE firms for $1.3M in 2020. Holland & Knight sued for $3M wire fraud. Zscaler analyzed 30K lookalike domains in 2024 and found 10K+ active.
Five minutes of phone verification beats five hundred thousand dollars of fraud.
Save this. Send it to your AP team and anyone who handles wires.
For automated detection at the email layer, install Ṣọ at soemailsecurity.com. Free tier covers Engine 01 Identity.
We earn revenue from subscriptions, never from your data.
An Israeli startup lost $1M to a single typo. Not their typo. The attacker's.
In 2019, a Chinese VC firm wired $1M in seed funding to what they believed was an Israeli startup. The money never arrived.
The attacker hadn't compromised either email account or deployed malware. They had registered two lookalike domains, one for each side of the transaction, each with one extra letter at the end. Every email went to the attacker first, who edited the content and forwarded it onward.
Two parties having a conversation through a translator who happened to be a thief.
Why SPF, DKIM, and DMARC don't catch this:
Authentication standards detect spoofing of YOUR domain. They cannot detect a DIFFERENT domain that looks similar. The attacker configures these on their own lookalike domain. All three pass cleanly.
Five attack variants:
→ Typosquatting (gooogle.com, amaz0n.com)
→ Character substitution (rn for m, 0 for o)
→ Homoglyph attacks (Cyrillic chars that look identical to Latin)
→ Combo-squatting (paypal-secure.com)
→ TLD substitution (paypal.co instead of paypal.com)
The verification habit that catches them:
Inspect the FULL sender address, not the display name
Look for extra letters, character swaps, alternate TLDs
For financial requests, phone-verify at a number you already have
Establish vendor verification protocols up front
Use automated lookalike domain detection
Documented cases: Florentine Banker hit 3 British PE firms for $1.3M in 2020. Holland & Knight sued for $3M wire fraud. Zscaler analyzed 30K lookalike domains in 2024 and found 10K+ active.
Five minutes of phone verification beats five hundred thousand dollars of fraud.
Save this. Send it to your AP team and anyone who handles wires.
For automated detection at the email layer, install Ṣọ at soemailsecurity.com. Free tier covers Engine 01 Identity.
We earn revenue from subscriptions, never from your data.
If you have Ṣọ Mobile installed, you have a free QR safety scanner.
Most users have never opened it.
QR-based phishing attacks tripled between 2023 and 2024. Most of them succeed on mobile because that's where verification is hardest. The QR code hides the destination URL until you've already scanned. By then, your phone is already on a fake login page or a credential-harvesting form.
The Ṣọ Mobile app has a built-in QR Code Safety Scanner that catches this. Free tier covers it. Most people have just never tapped the icon.
How to find it: open the app, tap the QR scanner icon on the main menu.
Two ways to use it. Point your phone camera at any QR code. Or upload an image of a QR code someone sent you. Either way, the verdict comes back in seconds: Safe, Suspicious, Dangerous, or Unknown. With a "why we flagged this" explanation showing the specific signals that contributed.
What the scanner checks:
URL pattern analysis. Is the destination a lookalike domain, a recently registered host, or a known phishing infrastructure?
Domain reputation across multiple threat intelligence feeds (Google Safe Browsing, PhishTank, OpenPhish, more).
Redirect chain inspection. Many phishing QR codes use URL shorteners or dynamic QR services to hide the final destination. The scanner follows the chain and reports every hop.
Subdomain tricks. Patterns like "login.microsoft.com.attacker.com" where the real domain is hidden behind a fake-looking subdomain.
Typosquatting and homoglyphs. Lookalike domains using character substitution. "rn" mimicking "m". "0" instead of "o". Cyrillic characters that visually match Latin ones.
File download flags. If the destination is a direct file download (.apk, .exe, .zip, .pdf, .html), the scanner flags it. Catches a common QR scam pattern where the user expects a website but gets a malware payload.
Beyond URLs, the scanner also handles vCard contact files, Wi-Fi connection codes, app deep links, and payment QR codes (Venmo, CashApp, mobile banking).
How it works architecturally: when you scan, the content goes to Ṣọ servers via HTTPS/TLS, gets analyzed in seconds, gets deleted. Same architecture as Ṣọ Mail. Encrypted in transit, zero retention, no human access, no training on user submissions. We're not claiming "on-device" because the scanner uses our threat intelligence infrastructure on Ṣọ servers. The privacy property is zero retention, not local processing.
Three audiences who especially benefit:
Anyone paying at parking meters or scanning restaurant menus. Public QR codes are the highest-volume quishing surface today.
Anyone handling invoices, payments, or vendor relationships. A fraudulent QR code that redirects payment to an attacker-controlled account is one of the highest-loss attack patterns for small businesses.
Anyone helping older relatives or non-technical colleagues verify suspicious QR codes.
If you've only used Ṣọ for inbox protection, this is the next high-leverage capability to add to your habits.
Five seconds of verification beats five hours of fraud recovery.
iOS: apps.apple.com/us/app/so-mail/id6756896070
Android: play.google.com/store/apps/details?id=com.app.somail
If you don't have Ṣọ Mobile yet, the Free tier covers QR scanning, dark web breach monitoring, and email threat detection. No credit card. 60-second signup.
The most useful feature in your email security app might be the one you've never tapped.
Click here to claim your Sponsored Listing.
Category
Website
Address
Toronto, ON
