How Do Scammers Spoof Your Email Address?
Pinterest Whatsapp

We’ve all had questionable emails from miscellaneous folk begging for a wire transfer to Nigeria. Most of us can spot the signs fairly easily, and know when to delete an email straight away. In fact, most of these just automatically go into spam and are subsequently swept away by a solid email service.

But then we get emails from family and friends — or sometimes from our own address! So what’s all that about? Does this mean you (or someone you know) have been compromised? Otherwise, how can scammers do that?

What is Email Spoofing?


This is a process called email spoofing, and it’s pretty simple and widespread.

In most cases, it doesn’t mean your email account has been hacked; instead, someone is faking your email address.

All emails come with details of the recipient and the sender, and the latter can be faked.

If your email address has been forged, but the message can’t be delivered, the email will be returned to the address in the sender field. It might seem a bit odd, but at least you know that someone is faking your address. It could be that your email’s in the public domain anyway (if you’re a business, for instance), making life easier for a questionable sender.

Many of us send ourselves important documents and images through email as a sort of backup. If you don’t have a USB flash drive Are USB Flash Drives Still Worth It In 2015? Are USB Flash Drives Still Worth It In 2015? USB flash drives are great for storage, but they have so many other uses. Here's how they're worth their weight in gold. Read More handy, and if you’re not keen on cloud services How Does Cloud Computing Work? [Technology Explained] How Does Cloud Computing Work? [Technology Explained] Read More , this is a simple way of keeping your vital files accessible wherever you are. Scammers see this as an opportunity: an email from yourself or another contact may sufficiently pique your curiosity and you’ll click on the enclosed link.

You might get a message from a friend… but you may also get a message from a friend of a friend — someone you’ve never met before in your life!

How Does it Work?

All a scammer needs is a Simple Mail Transfer Protocol (SMTP) server Test SMTP: Test Your SMTP Server Online Test SMTP: Test Your SMTP Server Online Read More — that is, a server that can send emails — and the right mailing equipment. This could simply be Microsoft Office Outlook.

You need to provide a display name, email address, and logon information: basically, username and password. The latter lets you into your own email account, but your display name and displayed email address can actually be whatever you like. Code libraries like PHPMailer streamline the process; you simply have to fill out the “From” field, write your message, and add in the recipient’s address.

We don’t advise you do this, obviously, because it’s often illegal, depending on your jurisdiction.

Most email clients don’t support the practise: they’ll ask you to verify that you can log into the address you’re pretending to send messages from.

There are ways around this, but scammers bypass it using “botnets” Is Your PC A Zombie? And What's a Zombie Computer, Anyway? [MakeUseOf Explains] Is Your PC A Zombie? And What's a Zombie Computer, Anyway? [MakeUseOf Explains] Have you ever wondered where all of the Internet spam comes from? You probably receive hundreds of spam-filtered junk emails every day. Does that mean there are hundreds and thousands of people out there, sitting... Read More (a system of infected computers, typically with weak firewalls, acting generally without the users’ knowledge to forward viruses, spam, and worms to other devices) as mail servers How Does An Email Server Work? [Technology Explained] How Does An Email Server Work? [Technology Explained] Behind each email is a powerful engine called the email server which pushes the emails through the internet. Read More .

This is the added twist when one machine is compromised: it then scours an address book, and sends viruses to contacts while claiming to be from a friend of the infected computer’s user. This might be someone you don’t even know, but their name is being used because you have a mutual contact.

That could mean you’ll get some angry emails from strangers claiming you’ve sent them a virus.

It’s in an effort to get personal information about you, most notably through malware installed on your computer or device through subterfuge, like a Trojan horse which purports to be useful computer software while hoovering up your data.

What You Can Do


If there’s a link in the email, definitely don’t click on it unless you know it’s genuine. Similarly, don’t download any attachments.

Read up on spotting a fake email 5 Examples To Help You Spot A Fraud Or Fake Email 5 Examples To Help You Spot A Fraud Or Fake Email The shift from spam to phishing attacks is noticeable, and is on the rise. If there's a single mantra to keep in mind, it's this -- the number one defense against phishing is awareness. Read More , and don’t ignore basic practices 7 Important Email Security Tips You Should Know About 7 Important Email Security Tips You Should Know About Internet security is a topic that we all know to be important, but it often sits way back in the recesses of our minds, fooling ourselves into believing that "it won’t happen to me". Whether... Read More if the email’s supposedly from someone you know. We tend to be immediately sceptical of email from our own address because you’d probably remember sending it in the first place!

Then again, you know these people. That should give you an advantage. You know if they’re likely to send a link on its own with no other text around it; whether their messages are long and rambling; or whether they always making spelling mistakes.

Check through previous emails: do they have a signature that comes through on all their messages? Do they normally send emails via their phone, and so have “Sent from my iPhone”, for example, at the bottom?

If you’re still not sure, simply ask the supposed sender.

If the message claims to be from you, check your Sent folder. If it’s there, but you still don’t remember sending it, your account has likely been compromised. (Equally, if you look on, say, Gmail, you can see “Last Account Activity”, which might give you an indication about whether someone else is logging into your account.) You must change your password straight away. Check out these tips for creating a stronger password 7 Ways To Make Up Passwords That Are Both Secure & Memorable 7 Ways To Make Up Passwords That Are Both Secure & Memorable Having a different password for each service is a must in today's online world, but there's a terrible weakness to randomly generated passwords: it's impossible to remember them all. But how can you possibly remember... Read More .

Unfortunately, there’s very little you can do about spoofing.

If you get a message from an irate stranger, explain that this isn’t your fault; you could then try to isolate which contact you’ve got in common so you can alert them that their system has been compromised. That’s a bit of a needle in a haystack, however…

Have You Been Spoofed?

That’s the frustrating thing: there’s so little you can actually do about email spoofing, apart from become more savvy about spam.

But you need not feel entirely useless. The Internet Protocol (IP) address How The Internet Works [Technology Explained] How The Internet Works [Technology Explained] Read More is a handy thing. You can trace the origin of email by learning to open headers and finding the IP address How To Trace Your Emails Back To The Source How To Trace Your Emails Back To The Source Read More , and further how you can trace that to a PC How to Trace an IP Address to a PC & How to Find Your Own How to Trace an IP Address to a PC & How to Find Your Own Want to see the IP address of your computer? Perhaps you want to discover where another computer is situated? Various free tools are available that tell you more about a computer an its IP address. Read More .

What further tips do you have? Have you ever been spoofed? Have you ever had to calm down a frustrated stranger? Let us know below.

Image Credits: Spam by Luca Conti; and Go Firefox, Go! by rick.

Explore more about: Computer Security, Email Tips, Spam.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Stuart
    August 1, 2017 at 6:36 pm

    One question I can't seem to find the answer to on the internet, is why are people 'allowed' or able to change the sender address to appear as if it's from someone else?

    What are the non-scam benefits of being able to do this?

    And why don't the companies who 'control' this, prevent people from doing this to remove this type of spoofing?


  2. Anonymous
    April 28, 2016 at 12:38 am



    • Philip Bates
      April 28, 2016 at 6:08 pm

      Thanks for alerting me. I've deleted that comment.

      • Anonymous
        April 29, 2016 at 3:25 am


        3 Things:

        A - My First Comment Is Not Yet Been Approved,

        B - That Site Was OK,

        C - It Was GOOGLE Fault, They Have A Bug On Their Search Engine.

        Regarding ( B ) - If You Enter That Site Directly The Site Is OK, But,

        Regarding ( C ) - If You Search The Site Through GOOGLE The Corresponding Link Redirects To A Porn Site.

        My Apologies - I Only Realized It Was GOOGLE Fault After I Made My Comment - An Edit Feature After Posting Would Be Nice.

        Thank You For Responding.

  3. Anonymous
    April 28, 2016 at 12:33 am

    Email Companies Just Do Not Care.

    Example Following:

    A - If I Have An Account As X@AOL.COM, And,

    B - If I Receive An Email Directed To ( A ) From Supposedly ( A ), AOL Should Not Even Let That Email Proceed, Because They Have The Means To Know That Email Was Not Sent From Me To Me, Period.


  4. Anonymous
    April 26, 2016 at 6:00 pm

    I send out a monthly newsletter to my customers and have been spoofed by the same account on three occasions.

    It's really annoying.

    I have sent an email to them letting them know they my have been hacked and to ask them to look into it, but alas, it keeps happening.

    Luckily, my customers have blocked this person and to my knowledge they no longer receive these fake emails.

    I wish there was more I could do to stop it from happening but until the actual owner sorts it out, i guess 'm stuck.

    • Philip Bates
      April 28, 2016 at 6:10 pm

      That's the worst thing about email spoofing: it's SO frustrating, but there's so little you can do about it right now. Many email providers are getting smarter concerning it, but nothing's foolproof.