How Scammers Fake Reply-To Addresses to Hijack Your Email Conversations

One of the most technically deceptive scams submitted to isthisspam.org this week didn't look like a scam at all.

The email appeared to come from a diplomatic government domain — `cancilleria.gob.ni`, associated with the Nicaraguan Ministry of Foreign Affairs. The subject line: "Test." The body: "This is a test."

Simple. Harmless. Forgettable.

Except for one detail buried in the raw email headers: the Reply-To field pointed to a completely different domain.

``` From: [address]@cancilleria.gob.ni Reply-To: [address]@cybergal.com ```

Our scanner flagged this with 0.95 confidence as a scam — the highest possible severity in our system. Here's why this single mismatch is so serious.

---

What Is a Reply-To Address?

Every email has two addresses that most people never pay attention to:

1. From: — The address displayed in your inbox. This is what you see as the sender. 2. Reply-To: — The address your email client will send to when you click "Reply." This is often hidden unless you specifically check.

In legitimate bulk email — newsletters, automated notifications — the Reply-To address is commonly set to something different from the From address for routing purposes. That's normal.

In a phishing attack, this distinction becomes a weapon.

---

How the Attack Works

The scammer sends an email that appears to originate from a legitimate or authoritative source — in this case, a government ministry. Because the From domain is real (`cancilleria.gob.ni` — Nicaragua's Ministry of Foreign Affairs), it passes many basic spam filters.

The content is deliberately benign. "This is a test." It's non-threatening, triggers no keyword filters, and is designed to prompt a curious reply.

When the recipient clicks "Reply," their email client silently redirects the message to an address at `cybergal.com` — a domain flagged in open-source intelligence feeds.

The scammer now controls the conversation. The victim believes they are communicating with a government official. In reality, they are corresponding with a threat actor who has harvested a live, verified email address and established the illusion of an ongoing legitimate exchange.

---

Why This Technique Is More Dangerous Than Standard Phishing

Most phishing advice focuses on:

The Reply-To mismatch bypasses all of that. There are no links, no attachments, no typos, no urgency. The email reads as completely innocuous — because the attack hasn't happened yet. It begins the moment you reply.

This technique is particularly effective against:

Once a reply is sent, the victim has done three things without realising it:

1. Confirmed their email address is active and monitored 2. Signalled that they didn't immediately detect the scam 3. Initiated what appears to be a mutual conversation — making future deception easier

---

How to Detect a Reply-To Mismatch

Your email client almost certainly hides the Reply-To field by default. Here's how to check it across common platforms:

Gmail: Click the three-dot menu (⋮) next to the Reply button → "Show Original" → Look for the `Reply-To:` header.

Outlook (Desktop): Open the email → File → Properties → Look for "Reply-To" in the Internet Headers panel.

Apple Mail: View → Message → All Headers → Scroll to find "Reply-To".

A legitimate email from a government or corporate sender will almost always have the Reply-To address match the From domain, or be set to a clearly related department address within the same organisation.

---

What Our Scanner Detected

When this email was submitted to isthisspam.org, our system performed a full analysis:

The key phrase in our analysis:

"This is a strong indicator of email hijacking or phishing. The sender is trying to deceive you by making replies go to a different address."

---

Why Old Domains Are Not a Safety Signal

One important takeaway from this case: `cybergal.com` is nearly three decades old. Many people assume that an older domain is more trustworthy — that scammers only use freshly registered throwaway domains.

This is false.

Established domains are more valuable to sophisticated threat actors precisely because:

Always look at the domain behaviour, not just its age.

---

The Bigger Pattern: Low-Signal Probes

The "Test." email is a recognisable format in targeted phishing operations. Security researchers call these low-signal probes — messages designed to verify a target before launching a higher-value attack.

By sending a benign message first, attackers can:

If you receive an unexplained "test" email from someone you don't recognise, do not reply — even to ask who they are. Forwarding it to isthisspam.org for analysis is the safest first step.

---

What to Do If You've Already Replied

If you've already responded to a suspicious email like this:

1. Do not send any further messages. The goal of the probe was to establish a thread — cutting it off limits the damage. 2. Do not provide any personal, financial, or organisational information in any follow-up, no matter how convincing the next message sounds. 3. Report the email to your email provider as phishing. 4. Flag it in your organisation — if this came to a work account, your IT/security team should know. 5. Scan the sender and Reply-To address at isthisspam.org to get a full assessment.

---

Summary: The Three Signs of a Reply-To Attack

| Signal | What to look for | |---|---| | Reply-To mismatch | Reply-To domain differs from the From domain | | Benign content | No links, no urgency, no obvious ask | | Authority sender | From address appears official (government, corporate) |

Any combination of these three warrants careful inspection before you respond.

Email is still the most commonly exploited communication channel for fraud — not because people are careless, but because the attacks have evolved far beyond what our instincts and inbox filters were designed to catch.

Paste any suspicious email directly into isthisspam.org — including the full headers if you can — for an instant analysis.