Have you ever opened an email only to find it’s spam or blackmail that seemed to come from your own email address? You’re not alone. Faking email addresses is called spoofing and, unfortunately, there’s little you can do about it.
how spammers spoof your email address
Spoofing is the act of forging an email address to make it appear to be from someone other than the person who sent it. Phishing is often used to make you believe that an email is from someone you know or a company you work with, such as a bank or other financial service.
Unfortunately, email phishing is incredibly easy. email systems often don’t have a security check in place to ensure that the email address you enter in the “from” field actually belongs to you. It’s a lot like an envelope you put in the mail. you can write whatever you want in the place of the return address if you don’t mind that the post office can’t return the letter to you. The post office also has no way of knowing if you actually live at the return address you wrote on the envelope.
email spoofing works in a similar way. Some online services, such as outlook.com, pay attention to the sender’s address when you send an email and can prevent you from sending an email with a spoofed address. however, some tools allow you to fill in whatever you want. it’s as easy as creating your own email server (smtp). all a scammer needs is your address, which they can probably buy in one of the many data leaks.
why do scammers spoof their address?
Scammers send you emails that appear to be from your address for one of two reasons, usually. the first is in the hope that they will bypass your spam protection. If you’re emailing yourself, you’re probably trying to remember something important and you don’t want that message to be labeled as spam. therefore, scammers hope that by using your address, their spam filters won’t notice and their message will get through. There are tools to identify an email sent from a domain other than the one it claims to be, but your email provider must implement them, and unfortunately many do not.
The second reason scammers spoof your email address is to gain a sense of legitimacy. It’s not uncommon for a spoofed email to claim that your account is compromised. that “you sent this email yourself” serves as proof of the “hacker’s” access. they may also include a password or phone number pulled from a breached database as additional evidence.
Usually, the scammer claims to have compromising information about you or images taken with your webcam. he then threatens to release the data to his closest contacts unless he pays a ransom. sounds believable at first; after all, they seem to have access to your email account. but that’s the point: the scammer is falsifying evidence.
related: what is typosquatting and how do scammers use it?
what email services are doing to combat the problem
The fact that anyone can fake a return email address so easily is not a new problem. And email providers don’t want to annoy you with spam, so tools were developed to combat the issue.
The first was the sender policy framework (spf), and it works on a few basic principles. Every email domain comes with a set of Domain Name System (DNS) records, which are used to direct traffic to the correct hosting server or computer. an spf record works with the dns record. when you send an email, the receiving service checks the provided domain address (@gmail.com) against your source ip and spf record to make sure they match. if you send an email from a gmail address, that email must also show that it originated from a gmail-controlled device.
Unfortunately, spf alone doesn’t solve the problem. someone needs to maintain spf records correctly on each domain, which doesn’t always happen. it’s also easy for scammers to fix this problem. when you receive an email, you may only see a name instead of an email address. Spammers enter one email address for the real name and one for the shipping address that matches an SPF record. so you won’t see it as spam and you won’t see it as spf either.
Companies must also decide what to do with the spf results. more often than not, they are content to let emails through rather than risk the system failing to deliver a critical message. spf doesn’t have a set of rules about what to do with the information; it simply provides the results of a check.
To address these issues, Microsoft, Google, and others introduced Domain-Based Message Authentication, Reporting, and Conformance Validation (DMARC). works with spf to create rules about what to do with emails marked as potential spam. dmarc first checks the spf scan. if that fails, it stops sending the message, unless an administrator configures otherwise. even if you pass an spf, dmarc checks that the email address shown in the “from:” field matches the domain the email came from (this is called alignment).
Unfortunately, even with support from microsoft, facebook and google, dmarc is still not widely used. If you have an outlook.com or gmail.com address, you will likely benefit from dmarc. however, by the end of 2017, only 39 of the fortune 500 companies had implemented the validation service.
what you can do about self-directed spam
Unfortunately, there’s no way to prevent spammers from spoofing your address. Hopefully, the email system you use implements both SPF and DMARC, and you won’t see these targeted emails. They should go straight to spam. If your email account gives you control of its spam options, you can make them more strict. Just be aware you might lose some legitimate messages, too, so be sure to check your spam box often.
If you receive a spoofed message from yourself, ignore it. do not click on any attachments or links and do not pay any demanded ransoms. simply mark it as spam or phishing, or delete it. If you are afraid that your accounts have been compromised, lock them for security. if you reuse the passwords, reset them on each service that shares the current one, and give each a new, unique password. If you don’t trust your memory with so many passwords, we recommend using a password manager.
If you’re concerned about receiving spoofed emails from your contacts, it might also be worth learning how to read email headers.