Have you ever opened an email only to find it’s spam or blackmail that seemed to come from your own email address? You’re not alone. Faking email addresses is called spoofing and, unfortunately, there’s little you can do about it.
Spoofing is the act of forging an email address, so it appears to be from someone other than the person who sent it. Often, spoofing is used to trick you into thinking an email came from someone you know, or a business you work with, like a bank or other financial service.
Unfortunately, email spoofing is incredibly easy. Email systems often don’t have a security check in place to ensure the email address you type in the “From” field truly belongs to you. It’s a lot like an envelope you put in the mail. You can write anything you want in the return address spot if you don’t care that the post office won’t be able to return the letter to you. The post office also has no way of knowing whether you really live at the return address you wrote on the envelope.
Email forging works similarly. Some online services, like Outlook.com, do pay attention to the From address when you send an email and might prevent you from sending one with a forged address. However, some tools let you fill in anything you want. It’s as easy as creating your own email (SMTP) server. All a scammer needs is your address, which they can likely buy from one of many data breaches.
Scammers send you emails that appear to come from your address for one of two reasons, generally. The first is in the hopes they will bypass your spam protection. If you send yourself an email, you’re likely trying to remember something important and wouldn’t want that message labeled as Spam. So, scammers hope that by using your address, your spam filters won’t notice, and their message will go through. Tools do exist to identify an email sent from a domain other than the one it claims to be from, but your email provider must implement them—and, unfortunately, many don’t.
The second reason scammers spoof your email address is to gain a sense of legitimacy. It’s not uncommon for a spoofed email to claim your account is compromised. That “you sent yourself this email” serves as proof of the “hacker’s” access. They might also include a password or phone number pulled from a breached database as further proof.
The scammer usually then claims to have compromising information about you or pictures taken from your webcam. He then threatens to release the data to your closest contacts unless you pay a ransom. It sounds believable at first; after all, they seem to have access to your email account. But that’s the point—the scam artist is faking evidence.