How Do Scammers Spoof Your Email Address?

We’ve all had questionable emails from miscellaneous folk begging for a wire transfer to Nigeria. Most of us can spot the signs fairly easily, and know when to delete an email straight away. In fact, most of these just automatically go into spam and are subsequently swept away by a solid email service.

But then we get emails from family and friends — or sometimes from our own address! So what’s all that about? Does this mean you (or someone you know) have been compromised? Otherwise, how can scammers do that?

What is Email Spoofing?


This is a process called email spoofing, and it’s pretty simple and widespread.

In most cases, it doesn’t mean your email account has been hacked; instead, someone is faking your email address.

All emails come with details of the recipient and the sender, and the latter can be faked.

If your email address has been forged, but the message can’t be delivered, the email will be returned to the address in the sender field. It might seem a bit odd, but at least you know that someone is faking your address. It could be that your email’s in the public domain anyway (if you’re a business, for instance), making life easier for a questionable sender.

Many of us send ourselves important documents and images through email as a sort of backup. If you don’t have a USB flash drive handy, and if you’re not keen on cloud services, this is a simple way of keeping your vital files accessible wherever you are. Scammers see this as an opportunity: an email from yourself or another contact may sufficiently pique your curiosity and you’ll click on the enclosed link.

You might get a message from a friend… but you may also get a message from a friend of a friend — someone you’ve never met before in your life!

How Does it Work?

All a scammer needs is a Simple Mail Transfer Protocol (SMTP) server — that is, a server that can send emails — and the right mailing equipment. This could simply be Microsoft Office Outlook.

You need to provide a display name, email address, and logon information: basically, username and password. The latter lets you into your own email account, but your display name and displayed email address can actually be whatever you like. Code libraries like PHPMailer streamline the process; you simply have to fill out the “From” field, write your message, and add in the recipient’s address.

We don’t advise you do this, obviously, because it’s often illegal, depending on your jurisdiction.

Most email clients don’t support the practise: they’ll ask you to verify that you can log into the address you’re pretending to send messages from.

There are ways around this, but scammers bypass it using “botnets” (a system of infected computers, typically with weak firewalls, acting generally without the users’ knowledge to forward viruses, spam, and worms to other devices) as mail servers.

This is the added twist when one machine is compromised: it then scours an address book, and sends viruses to contacts while claiming to be from a friend of the infected computer’s user. This might be someone you don’t even know, but their name is being used because you have a mutual contact.

That could mean you’ll get some angry emails from strangers claiming you’ve sent them a virus.

It’s in an effort to get personal information about you, most notably through malware installed on your computer or device through subterfuge, like a Trojan horse which purports to be useful computer software while hoovering up your data.

What You Can Do


If there’s a link in the email, definitely don’t click on it unless you know it’s genuine. Similarly, don’t download any attachments.

Read up on spotting a fake email, and don’t ignore basic practices if the email’s supposedly from someone you know. We tend to be immediately sceptical of email from our own address because you’d probably remember sending it in the first place!

Then again, you know these people. That should give you an advantage. You know if they’re likely to send a link on its own with no other text around it; whether their messages are long and rambling; or whether they always making spelling mistakes.

Check through previous emails: do they have a signature that comes through on all their messages? Do they normally send emails via their phone, and so have “Sent from my iPhone”, for example, at the bottom?

If you’re still not sure, simply ask the supposed sender.

If the message claims to be from you, check your Sent folder. If it’s there, but you still don’t remember sending it, your account has likely been compromised. (Equally, if you look on, say, Gmail, you can see “Last Account Activity”, which might give you an indication about whether someone else is logging into your account.) You must change your password straight away. Check out these tips for creating a stronger password.

Unfortunately, there’s very little you can do about spoofing.

If you get a message from an irate stranger, explain that this isn’t your fault; you could then try to isolate which contact you’ve got in common so you can alert them that their system has been compromised. That’s a bit of a needle in a haystack, however…

Have You Been Spoofed?

That’s the frustrating thing: there’s so little you can actually do about email spoofing, apart from become more savvy about spam.

But you need not feel entirely useless. The Internet Protocol (IP) address is a handy thing. You can trace the origin of email by learning to open headers and finding the IP address, and further how you can trace that to a PC.

What further tips do you have? Have you ever been spoofed? Have you ever had to calm down a frustrated stranger? Let us know below.

Image Credits: Spam by Luca Conti; and Go Firefox, Go! by rick.

Leave a Reply

Your email address will not be published. Required fields are marked *