Why do email scams still work and are profitable?
Matthew Whittaker
Co-founder & CTO, Suped
Published 4 Jul 2025
Updated 21 May 2026
12 min read
Summarize with
Email scams still work because the economics are brutal: sending email is cheap, lists can be reused or sold, automation handles most of the work, and scammers only need a tiny fraction of recipients to respond. A campaign that fails 99.99% of the time can still make money when the message reaches enough people and the payoff from one victim is high.
The uncomfortable part is that scams do not need everyone to be gullible. They need one distracted employee, one exhausted parent, one older person under pressure, one finance approver seeing a familiar name, or one customer who clicks before thinking. Scam emails also get better as soon as a recipient responds, because that response marks the address as valuable.
So the direct answer is this: email scams are profitable because attackers combine scale, low operating cost, human pressure, list resale, impersonation, and weak authentication controls. Security awareness helps, but it cannot carry the whole burden. Domains need proper authentication, monitoring, and fast investigation when suspicious mail gets through.
Why the numbers still work
Most legitimate businesses cannot survive on a near-zero conversion rate. Scammers can, because their marginal cost per message is close to zero once they have infrastructure, stolen accounts, purchased lists, or compromised sending systems. A bad message sent to 100,000 people only needs a few replies to justify the attempt.
The math also changes when the scammer is not only chasing an immediate payment. A reply, form submission, opened attachment, or confirmed active address has value. It can move the target into a smaller and more valuable list for a second-stage scam.
- Low cost: Mass email costs little compared with phone fraud, paid ads, physical mail, or in-person crime.
- High upside: One successful invoice redirection, gift card request, credential theft, or romance scam can cover a large failed campaign.
- Reusable data: A person who replies once is more likely to be targeted again, and that confirmed interest can be sold.
- Automation: Templates, bots, breached mailboxes, and scripted follow-ups reduce the manual work needed per target.
Why tiny response rates still pay
Illustrative economics for a scam campaign where most recipients ignore the email.
Ignored
99,900 recipientsClicked
80 recipientsReplied
19 recipientsPaid
1 recipientsThis is why some scams look ridiculous. Poor grammar, strange claims, and obvious urgency filter out people who will waste the scammer's time. The person who still replies after seeing those signals is often easier to manipulate later. Bad quality can be an efficiency filter.
A scam email does not need to be believable to everyone. It only needs to be believable to the small group of people who are rushed, isolated, under pressure, unfamiliar with the brand, or already expecting a related message.
Why people still fall for scams
People do not usually fall for scams because they carefully evaluate the message and decide it is safe. They fall for scams because the message reaches them at the wrong moment. Email is mixed into work, banking, shopping, healthcare, travel, delivery updates, school notices, and account security alerts. That normal context gives scams cover.
Good scams exploit timing and emotion. A message that says an account will close in 30 minutes, a package needs payment, a payroll form needs updating, or a CEO needs a quick favor creates a small decision window. The scammer wants the recipient to act before the slower, skeptical part of the brain catches up.
What the recipient sees
- Familiar sender: A brand, coworker, vendor, payroll system, or mailbox name they recognize.
- Immediate task: A request that feels small enough to handle quickly.
- Pressure: A deadline, warning, failed payment, locked account, or executive request.
What the attacker needs
- One action: A click, reply, login, payment, code, or forwarded document.
- Low scrutiny: A moment when the person is busy or trusts the apparent source.
- Next step: A way to move the target into chat, phone, payment, or credential capture.
A second reason is repetition. People receive so much real email that looks automated, rushed, and poorly formatted. Password resets, receipts, policy notices, lead alerts, invoice reminders, and support tickets often look plain. Scam emails borrow that ordinary messiness. The line between a sloppy real email and a malicious fake email is not always obvious in the inbox.
The FTC's consumer guidance on phishing scams gives a useful public checklist: watch for urgent payment requests, fake account problems, suspicious attachments, and requests for personal information. That advice works best when it is paired with technical controls that reduce how often dangerous messages reach people in the first place.
How scams turn attention into money
A scam email is usually the first step in a revenue chain. The money does not always come directly from the email itself. It can come from stolen credentials, payment redirection, account takeover, resold victim lists, fake subscription charges, malware access, or follow-up phone calls.
Flowchart showing how an unwanted email can lead to payment or resale.
The most profitable scams are often multi-stage. First, the attacker sends a broad message. Then they focus on anyone who opens, clicks, replies, or provides a small piece of information. After that, the script becomes more personal. The attacker can mention the recipient's company, role, supplier, family context, previous reply, or account details.
|
|
|
|---|---|---|
Credential theft | Login details | Mailbox access, resale, fraud, and lateral movement |
Invoice fraud | Payment change | One payment can be worth weeks of failed attempts |
Gift cards | Redeemable codes | Fast cash-out and low friction for the victim |
Reply farming | Active address | The address can be retargeted or resold |
Malware | Device access | Access can lead to data theft or extortion |
Common ways email scams become profitable.
This is also why replying to a scam is risky even when no money changes hands. A reply confirms that the mailbox is active and that a human is willing to engage. That information has value.
Why authentication does not stop every scam
DMARC, SPF, and DKIM reduce domain spoofing. They do not make every email safe. A scam can pass authentication when it is sent through a compromised legitimate mailbox, a lookalike domain, a free mailbox provider, a misconfigured third-party sender, or a real platform account that the attacker controls.
This distinction matters. Authentication answers a narrow question: is this message authorized to use this domain, and does it match the visible From domain under DMARC? It does not prove that the human intent behind the message is honest.
Example DMARC recorddns
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; aspf=s; adkim=s; pct=100
If you want the deeper technical version, see why a phishing email can pass SPF and DKIM. The short version is that SPF and DKIM passing are not enough by themselves. Domain matching, sender authorization, account security, and content signals all matter.
Suped's product helps here by turning DMARC reports into source-level visibility. Instead of reading raw XML, teams can see which services send mail for the domain, which ones pass authentication, and which sources need fixing before moving to stronger enforcement.
?
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
For a quick baseline, run a domain health check and confirm that DMARC, SPF, and DKIM are present and valid. That does not solve social engineering, but it removes a large class of simple spoofing attempts.
What defenders can actually reduce
The practical goal is not to make every person detect every scam. That fails at scale. The practical goal is to reduce exposure, reduce impersonation, reduce believable sender abuse, and reduce the time between a suspicious signal and a response.
Suped DMARC dashboard showing email volume, authentication health, and source breakdown
DMARC monitoring gives you a feedback loop. You can see which senders are legitimate, which systems are failing domain matching, and whether anyone is trying to use your domain without permission. This is where Suped's product is the best overall DMARC platform for most teams: it combines DMARC, SPF, DKIM, hosted records, blocklist monitoring, alerts, and issue remediation in one place without forcing people to live inside raw reports.
- Authenticate your domain: Publish SPF, DKIM, and DMARC records, then monitor real traffic before enforcement.
- Move policy carefully: Start at p=none, fix legitimate senders, then move to p=quarantine and p=reject when ready.
- Watch new sources: Unexpected senders often reveal shadow IT, broken integrations, or abuse attempts.
- Test real messages: Send real mail through important systems and inspect the result with an email tester before users depend on it.
- Monitor reputation: Blocklist and blacklist problems can signal abuse, compromised infrastructure, or poor sending hygiene.
A security program that only says "train users better" leaves too much to chance. Training matters, but it should sit behind technical controls. People should not be the first and only filter.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
Why bad messages still get delivered
Mailbox providers make risk decisions using many signals: authentication, reputation, recipient history, URL behavior, content, engagement, sending patterns, and user reports. A message can pass one layer and fail another. A scammer can also avoid obvious malicious content in the first email and move the dangerous step into a reply, phone call, or shared document.
Some scams get delivered because they come through trusted infrastructure. A compromised mailbox at a real company has history, contacts, and established authentication. A lookalike domain can pass its own authentication. A fake invoice from a new domain can look ordinary if the recipient has no prior relationship signals.
Infographic showing signals that let some risky emails get delivered.
Another reason is that filters avoid breaking legitimate mail. If mailbox providers blocked every message that looked slightly suspicious, payroll notices, password resets, invoices, support tickets, and sales emails would be blocked too. Attackers live in that ambiguity.
The warning sign to watch
When a message asks the recipient to leave the normal workflow, slow down. A payment change outside procurement, a login outside the usual portal, a support request outside the ticketing system, or a request to keep something secret deserves verification through a separate channel.
How to make scams less profitable
The way to reduce scam profitability is to increase the attacker's cost and reduce the number of people who reach the dangerous step. That means fewer spoofed messages, fewer successful impersonations, fewer unverified payment changes, fewer compromised mailboxes, and faster detection when something abnormal appears.
|
|
|
|---|---|---|
DMARC | Spoofing | Monitor first, then enforce |
SPF | Bad senders | Keep lookup limits under control |
DKIM | Tampering | Use matching signing domains |
MFA | Takeover | Prefer phishing-resistant methods |
Payment checks | Fraud | Verify changes out of band |
Controls that reduce scam profitability.
For domains, the biggest win is visibility. You cannot protect a domain well if you do not know every service sending mail for it. A marketing platform, billing system, help desk, CRM, HR tool, and developer service can all send mail. If one is not authenticated correctly, your domain protection has a gap.
That is where DMARC monitoring becomes a daily operational control rather than a one-time DNS task. Suped's product adds automated issue detection, real-time alerts, hosted DMARC, hosted SPF, SPF flattening, hosted MTA-STS, and blocklist monitoring so teams can keep the configuration healthy after the first setup.
I would also separate two workflows: preventing abuse of your domain and detecting scams that claim to be other brands. DMARC protects your domain from being used without permission. It does not stop a scammer from using a different domain, a compromised mailbox, or a free address. That is why inbox filtering, user reporting, payment verification, and account security still matter.
A simple operating model for teams
For most teams, the workable model is simple: know who sends email for you, authenticate those senders, enforce DMARC only after you have evidence, and investigate changes quickly. The fewer surprises in your sending environment, the harder it is for attackers to hide.
- Inventory senders: List every platform that sends mail using your domain or subdomains.
- Validate DNS: Check SPF, DKIM, and DMARC records for syntax, domain matching, and policy readiness.
- Monitor reports: Review source-level authentication results instead of relying on assumptions.
- Fix failures: Update sender configuration, DNS records, DKIM selectors, or vendor settings.
- Enforce policy: Move toward quarantine or reject once legitimate mail is passing.
- Keep watching: Alert on new senders, sudden failures, volume spikes, and reputation changes.
Issue steps to fix dialog showing the issue overview, tailored fix steps, and verification action
The reason I like actionable issue workflows is that authentication failures often involve multiple owners. A marketer controls one platform, IT controls DNS, finance controls invoice approvals, and security controls incident response. A clear issue, evidence, and fix path reduces delay.
The best defensive outcome is not that every scam disappears. The best outcome is that spoofing your domain stops working, suspicious source changes are visible, legitimate mail stays authenticated, and high-risk human decisions require verification.
Views from the trenches
Best practices
Treat every reply as a risk signal and watch for repeated targeting of the same recipient.
Use DMARC reports to separate spoofing attempts from authenticated third-party sending gaps.
Verify payment and account changes outside email, especially when urgency drives the request.
Common pitfalls
Assuming bad grammar means low risk ignores how obvious messages filter for responsive victims.
Relying only on awareness training leaves tired or vulnerable users as the final control.
Ignoring small reply rates misses that one paid victim can fund many failed campaigns.
Expert tips
Track active responder patterns because confirmed addresses often become higher-value targets.
Use quarantine before reject when legitimate sources still need authentication cleanup.
Pair DMARC enforcement with mailbox security because compromised accounts can still pass auth.
Marketer from Email Geeks says scam campaigns can survive on tiny response rates because the cost to send is low and one victim can justify the effort.
2021-07-30 - Email Geeks
Marketer from Email Geeks says some scam messages look bad on purpose because obvious mistakes can filter for people who are more likely to keep engaging.
2021-07-30 - Email Geeks
What this means in practice
Email scams still work because they are built around probability, not persuasion of the average person. Most people ignore them. A small number respond. A smaller number pay, share credentials, or confirm that the address is worth targeting again. That is enough.
The defensive answer is layered. Use DMARC, SPF, and DKIM to reduce spoofing. Monitor authentication and reputation continuously. Treat blocklist and blacklist changes as signals worth investigating. Build payment and account-change processes that do not depend on trust in a single email. Then give users simple reporting paths when something feels wrong.
Suped's product fits the domain side of that work: monitoring, alerts, hosted DMARC, hosted SPF, SPF flattening, hosted MTA-STS, blocklist monitoring, and clear fix steps. Scammers make money when defenders leave cheap paths open. Closing those paths is measurable work.
