← Back to blog
2026-04-245 min read

How Email Bomb Attacks Are Used to Commit Financial Fraud

A registration bomb is rarely the real attack. It's the smoke. While your inbox is buried under 200,000 emails, a fraudulent bank transfer is being authorised. The confirmation email is somewhere in the flood.

The oldest trick in the book

Distraction is a fundamental technique in fraud. A pickpocket works in a crowd. A con artist creates urgency. And a modern email fraudster buries your inbox under hundreds of thousands of emails, then makes a move while you're drowning in noise. Registration bomb attacks are almost never the primary crime. They're the cover.

What the attacker is actually doing

While your inbox is paralysed, the attacker is doing one of a few things. In financial fraud cases, the most common scenario is a fraudulent bank transfer. The attacker has already compromised your account or is posing as a supplier. When they initiate a transfer, the confirmation email lands somewhere in the flood. It never gets read. The transfer goes through. By the time you find the email, the money is long gone.

Account takeover follows the same pattern

The flood is also used to hide password reset emails. If an attacker has access to your email address, they can trigger resets on high-value accounts (banking, payroll, e-commerce) and the reset confirmation gets buried in the noise. You never see it. The attacker does. By the time your inbox is clear, the accounts are already theirs.

Why the timing isn't accidental

Registration bomb attacks don't happen at 3am. They happen during business hours, when staff are actively using email and most likely to be overwhelmed rather than suspicious. The attacker wants chaos, not silence. A person buried under thousands of emails is far more likely to miss a critical one than a person who sees nothing at all.

The defence that actually works

Because the attack is designed to overwhelm a human, the defence has to be automated. MX Moat detects the burst pattern at the network level and quarantines the flood before it reaches your inbox, typically within 3-5 minutes of the attack starting. That window is the difference between catching the fraud in time and not.

Frequently Asked Questions

How do I know if a registration bomb was used in a fraud against me?

Look for unusual account activity or financial transactions on the same day your inbox was flooded. If you find anything, report it to your bank immediately. The bomb is designed to bury the evidence. Dig through it systematically, starting with the time the flood began.

Does this only happen to individuals?

No. Corporate accounts are a primary target. A business email address is often linked to banking, payroll, and supplier relationships: all high-value targets. Finance and accounts payable teams are especially at risk.

Can I set up email filtering rules to handle this myself?

Filtering rules only help after the flood has reached your inbox. By then, the critical emails are already buried. The only effective approach is to stop the flood upstream, before it arrives.

Have a question about protecting your domain?

Get in Touch →

Don't Wait for the Attack

Registration bombs don't send warnings. By the time you notice, 100,000 emails are already in your inbox. Protect your domain now.

Protect Your Domain →
🇪🇺 EU-hosted · GDPR compliant · Works with any email provider · Setup in 5 minutes