A domain that differs from the genuine one by a single character is registered by an attacker. Emails sent from it look identical to the eye. A capital I in place of a lowercase l, a Cyrillic letter where a Latin one would be, an extra hyphen in a long company name: the eye does not check, the inbox treats the message as ordinary, the recipient acts on it.
The technique is in routine use against family offices, private clients, and any operation where authorisation runs through email. The attacker watches the genuine email traffic, learns the rhythms, and inserts a message at the moment it will be expected.
The defences exist. Mail servers can be configured to flag near-matches to known sender domains. Outbound email can be signed in ways that the receiver can verify. The receiving organisation can implement strict rules about what kinds of instruction may be acted on by email alone. None of this is exotic; all of it is administratively tedious; most operations do not bother until after the first loss.
Most of this is not difficult to read; it is only that almost no one reads it.
More from the desk
The old recovery question that was once true
AI voice cloning and the phone call from a relative
The quiet leak from a personal assistant
The recovery email on a domain you no longer own
The corporate credit card and the receipt leak
The leaked database and what resurfaces years later