The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion

A targeted invoice‑fraud phishing email impersonated a steel distributor credit manager: the message was sent from a legitimate Gmail path (SPF/DKIM/DMARC passed) but used a typosquatted Reply‑To domain (mill‑steels.com) to redirect responses to the attacker. The signature included real company links and a displayed employee name while the underlying mailto href pointed to a different account, revealing an incomplete copy of a legitimate signature; the email requested confirmation of updated banking details (payment diversion) and was quarantined after behavioral detection.