How Spammers Spoof Your Email Address
Spoofing is the act of forging an email address, so it appears to be from someone other than the person who sent it. Often, spoofing is used to trick you into thinking an email came from someone you know, or a business you work with, like a bank or other financial service.
Unfortunately, email spoofing is incredibly easy. Email systems often don’t have a security check in place to ensure the email address you type in the “From” field truly belongs to you. It’s a lot like an envelope you put in the mail. You can write anything you want in the return address spot if you don’t care that the post office won’t be able to return the letter to you. The post office also has no way of knowing whether you really live at the return address you wrote on the envelope.
Email forging works similarly. Some online services, like Outlook.com, do pay attention to the From address when you send an email and might prevent you from sending one with a forged address. However, some tools let you fill in anything you want. It’s as easy as creating your own email (SMTP) server. All a scammer needs is your address, which they can likely buy from one of many data breaches.
Why Do Scammers Spoof Your Address?
Scammers send you emails that appear to come from your address for one of two reasons, generally. The first is in the hopes they will bypass your spam protection. If you send yourself an email, you’re likely trying to remember something important and wouldn’t want that message labeled as Spam. So, scammers hope that by using your address, your spam filters won’t notice, and their message will go through. Tools do exist to identify an email sent from a domain other than the one it claims to be from, but your email provider must implement them—and, unfortunately, many don’t.
The second reason scammers spoof your email address is to gain a sense of legitimacy. It’s not uncommon for a spoofed email to claim your account is compromised. That “you sent yourself this email” serves as proof of the “hacker’s” access. They might also include a password or phone number pulled from a breached database as further proof.
The scammer usually then claims to have compromising information about you or pictures taken from your webcam. He then threatens to release the data to your closest contacts unless you pay a ransom. It sounds believable at first; after all, they seem to have access to your email account. But that’s the point—the scam artist is faking evidence.
RELATED: What is Typosquatting and How Do Scammers Use it?
What Email Services Do to Combat the Problem
The fact that anyone can fake a return email address so easily is not a new problem. And email providers don’t want to annoy you with spam, so tools were developed to combat the issue.
The first was the Sender Policy Framework (SPF), and it works with some basic principles. Every email domain comes with a set of Domain Name System (DNS) records, which are used to direct traffic to the correct hosting server or computer. An SPF record works with the DNS record. When you send an email, the receiving service compares your provided domain address (@gmail.com) with your origin IP and the SPF record to make sure they match. If you send an email from a Gmail address, that email should also show that it originated from a Gmail-controlled device.
Unfortunately, SPF alone doesn’t solve the problem. Someone needs to maintain SPF records properly at each domain, which doesn’t always happen. It’s also easy for scammers to work around this problem. When you receive an email, you might only see a name instead of an email address. Spammers fill in one email address for the actual name and another for the sending address that matches an SPF record. So, you won’t see it as spam and neither will SPF.
Companies must also decide what to do with SPF results. Most often, they settle for letting emails through rather than risking the system not delivering a critical message. SPF doesn’t have a set of rules regarding what to do with the information; it just provides the results of a check.
To address these issues, Microsoft, Google, and others introduced the Domain-based Message Authentication, Reporting, and Conformance (DMARC) validation system. It works with SPF to create rules for what to do with emails flagged as potential spam. DMARC first checks the SPF scan. If that fails, it stops the message from going through, unless it’s configured otherwise by an administrator. Even if an SPF passes, DMARC checks that the email address shown in the “From:” field matches the domain the email came from (this is called alignment).
Unfortunately, even with backing from Microsoft, Facebook, and Google, DMARC still isn’t widely used. If you have an Outlook.com or Gmail.com address, you’re likely benefitting from DMARC. However, by late 2017, only 39 of the Fortune 500 companies had implemented the validation service.
What You Can Do About Self-Addressed Spam
Unfortunately, there’s no way to prevent spammers from spoofing your address. Hopefully, the email system you use implements both SPF and DMARC, and you won’t see these targeted emails. They should go straight to spam. If your email account gives you control of its spam options, you can make them more strict. Just be aware you might lose some legitimate messages, too, so be sure to check your spam box often.
If you do get a spoofed message from yourself, ignore it. Don’t click any attachments or links and don’t pay any demanded ransoms. Just mark it as spam or phishing, or delete it. If you’re afraid your accounts have been compromised, lock them down for safety. If you reuse passwords, reset them on every service that shares the current one, and give each a new, unique password. If you don’t trust your memory with so many passwords, we recommend using a password manager.
If you’re worried about receiving spoofed emails from your contacts, it might also be worth your time to learn how to read email headers.