Thread Jacking: Spot the Scam Before It Costs You

Picture this… You’re wrapping up your Friday afternoon, your inbox finally hit zero, you’re focused on starting the weekend, and that’s when a new email pops up. The subject line is one you recognize because it’s the same invoice thread you’ve been handling all week long. No big deal.

The body looks normal, too: polite, professional, has the right details. But this time, the vendor says there’s been a change in the payment instructions.

You forward it to accounting, shut your laptop, and breathe a sigh of relief.

Fast forward a week: the vendor calls wondering why they haven’t been paid for their products or services. What do you mean the payment went to the wrong place? And just like that, you realize that your inbox must have been hijacked. It’s one of those scams that feels invisible until it happens to you.

What Exactly Is Thread Jacking?

Thread jacking is when a cybercriminal inserts themselves into a real email conversation you’re already having. Instead of sending a random phishing email with typos and bad logos, they slide right into the conversation you already trust. That’s what makes it so sneaky.

The attacker’s end goal? Usually, it’s money by getting you to send a payment to the wrong place, hand over your sensitive data, or approve something that shouldn’t be approved.

How Do Thread Jackers Even Get In?

Attackers have a few common tricks that feel obvious to them but like witchcraft to you:

• Compromised accounts. If your vendor’s email gets hacked, criminals can read every message then reply as if they’re that vendor.

• Lookalike addresses. Ever notice how easy it is to miss one letter in an email address? @compaany.com instead of @company.com is enough to fool a tired eye.

• Forwarding rules. Sometimes they sneak into accounts and set up rules, so they quietly receive copies of your conversations in real time.

By the time the fake request shows up, the attacker has all of the context. They have the amounts, the names, and the deadlines needed to make their email look completely unsuspecting.

What makes these tactics work so well is a classic social engineering trick called pretexting. Pretexting is when someone creates a believable story to get you to take action you normally wouldn’t, like a caller pretending to be your bank or an email that looks like it’s from your CEO asking for a wire transfer.

Thread jacking is just pretexting with a shortcut. Instead of inventing a fake story, the attacker borrows one that already exists in your inbox. When you see “Please note updated payment instructions” inside a thread you’ve been working on all week, your brain doesn’t go to “This is fraud.” It goes to “This is business.” And that’s what makes it so convincing.

“But, I would never fall for that!”

If you’ve ever thought, “I’d never fall for that,” or “I am way too observant for that to happen to me,” here’s the truth: thread jacking works because it plays on trust, not gullibility. When you’re busy, and the thread looks right, and the details line up, your brain doesn’t hit the brakes. You think, “This is normal.” That’s not foolish. That’s human. And it’s why education is more powerful than blame when it comes to protecting your team.

Warning Signs That Something’s Off

Here are a few red flags to watch out for so you can spot thread jacking before it happens:

1. Tone shift. Does the email sound a little different than usual?

2. Unusual urgency. Are they pushing for payment right this minute?

3. Changed payment instructions. Especially if you weren’t expecting them.

4. Odd email address. One letter off, or from a slightly different domain.

5. Attachments that don’t make sense. Even in a familiar thread, this should raise eyebrows.

If you get that “something feels weird” moment, pause. That gut check is often the first and best line of defense.

How to Protect Your Organization

At first glance, thread jacking might sound like just another cyber buzzword, but here is why it matters to you. When payments are misdirected or sensitive data is stolen, it is not only about losing money. It can strain relationships with your vendors, weaken the trust of your clients or donors, and force your team to spend valuable time cleaning up instead of focusing on your mission. For small businesses, nonprofits, and local governments, even one incident can create ripple effects that last for months. Awareness is not optional. It is protection for your reputation, your budget, and the people you serve.

The good news: you don’t need to overhaul everything to make yourself less of a target. Small, consistent steps go a long way.

Slow Down on Payments

• Never act on changed payment details without confirming them.

• Call your vendor on a number you already know (not the one in the email).

• Require a second set of eyes before sending large payments.

Strengthen Your Email Security

• Turn on multifactor authentication (MFA) everywhere.

• Watch for unusual forwarding rules.

• Use email security tools that can flag suspicious replies.

Teach and Talk About It

• Share stories like this with your staff.

• Normalize asking questions — no one should feel embarrassed about double-checking.

• Remind people: it’s better to make one phone call than lose thousands of dollars.

Plan for the “What If”

If you suspect you’ve been thread-jacked:

• Stop the payment immediately if you can.

• Contact the vendor directly.

• Alert your IT provider or MSP.

• File a report with IC3 if funds are lost.

The Human Side of Cybersecurity

Thread jacking isn’t just about technology. It’s about people. Busy people, juggling multiple responsibilities, that are trying to do their jobs well. So, what is the best approach you can take for your team? Clear education, calm reminders, and building habits that make everyone feel comfortable slowing down when something doesn’t look right. At Keystone, we tell our clients all the time: the best security tool you have is a culture where people feel safe to say, “Let’s verify that before we act.”

At Keystone, we don’t just manage IT—we execute. We ensure smooth transitions, rock-solid security, and maximum efficiency so your business can thrive. Let us handle the complexity of IT while you stay focused on what matters most—growing your business.

Contact us today to schedule a consultation and see how Keystone delivers results you can trust.