What can you do if someone is using your personal email address? If your family and friends get suspicious messages from your address, you might think you've been hacked. Similarly, if you get spam from someone you know, has their system been compromised?

This is a process called email spoofing. It's surprisingly simple to do and incredibly common.

What Is Email Spoofing?

Do spam messages mean you've been hacked by cybercriminals? This often isn't the case; instead, someone is faking your email address. All emails come with details of the recipient and the sender, and the latter can be spoofed—which simply means it's an imitation address.

So why have you received an email seemingly from yourself? There are a few possibilities.

The first instance is when a message can't be delivered, so is "returned" to the address in the sender field. This will seem especially odd if you didn't send that message. At least you now know that someone is faking your address.

Scammers can learn of your address through numerous methods, including social media accounts, mutual contacts, and details sold on the dark web. It could also be that your email address is in the public domain anyway; if you're a business or have a newsletter, for instance, your address will probably be publicized. This makes life a lot easier for scammers looking to spoof emails.

emailing a contact through a website form

Some of us send ourselves important documents and images through email as a means to back them up too. This is a simple way of keeping your vital files accessible wherever you are, without the need for cloud computing. Cybercriminals see this as an opportunity: an email from yourself or another contact may sufficiently pique your curiosity and you'll click on the enclosed link.

We all know not to trust links in emails, but we sometimes forget that advice. This is how malware spreads and gains private data about users. It's one way scammers get past whatever security measures you've taken. By clicking a link, you're essentially accepting a download of any software enclosed, which bypasses even the sandboxing process your browser uses to keep your device safe.

How Are Email Addresses Spoofed?

So how does email spoofing work? How can you spoof, and subsequently spam, an email address?

All a scammer needs is a Simple Mail Transfer Protocol (SMTP) server (that is, a server that can send emails) and the right mailing equipment. This could simply be Microsoft Office Outlook.

You need to provide a display name, email address, and login information: basically, a username and password. The latter lets you into your own email account, but your displayed name and email address can actually be whatever you like.

Code libraries like PHPMailer streamline the process; you simply have to fill out the "From" field, write your message, and add in the recipient's address.

We don't advise you do this because, depending on your jurisdiction, it's illegal.

Most email clients don't support the practice. They typically ask you to verify that you can log into the address you're pretending to send messages from.

There are ways around this, but scammers bypass it using "botnets" as mail servers. A botnet is a system of infected computers, acting generally without the users' knowledge to forward viruses, spam, and worms to other devices.

Why Did a Stranger Get an Email From Me?

Man angry at laptop

In rare cases, you might get an angry message from someone who claims you sent them a virus. This is probably due to email spoofing.

When one machine is compromised, malware scours the address book and sends malicious messages and downloads to contacts using that email client. These often claim to be from a friend of the infected computer's user. You don't even need to know this person—their name is being used solely because you have a mutual contact!

A virus' modus operandi is to prosper. They spread and infect as many machines as possible to gain as much personal information, and therefore influence, as they can. Most notably, this is through malware installed on a device through subterfuge, like a Trojan horse that purports to be useful while collecting your data.

If you get a message from an irate stranger, explain that this isn't your fault. Maybe forward them here, so they're aware of what can be done. You could then try to isolate which contact you've got in common, so you can alert them that their system has been compromised. That can be a needle in a haystack, however…

What to Do if You Get a Suspicious Email

Do not click any links in emails.

Similarly, don't download any attachments unless you know they're genuine. It doesn't matter if it comes from someone you think you can trust or not. Learn how to spot a fake email, and don't ignore basic practices if the email is supposedly from someone you know. We're generally skeptical of messages that appear to come from our own address, but not of unsolicited messages from friends.

But the fact that you know the sender should give you an advantage. You know if they're likely to send a link on its own with no other text around it; whether their messages are long and rambling; or whether they always make spelling mistakes.

If nothing's immediately obvious, check through previous emails and note patterns. Do they have a signature that comes through on all their messages? Do they normally send emails via their phone, and so have "Sent from my iPhone", for example, at the bottom?

If you're still not sure, simply ask the supposed sender.

What to Do if Someone Is Using Your Email Address

Email app showing 20 unread messages

Don't click on anything you think might be malicious. Certainly don't click on anything if the email appears to be from your own address and you don't recall sending it.

If the message claims to be from you, check your Sent folder. If it's there, but you didn't send it, your account has likely been compromised. And if you look on Gmail, you can see "Last Account Activity", which might give you an indication about whether someone else is logging into your account.

You must change your password straight away.

Unfortunately, there's very little you can do about spoofing, apart from becoming more savvy about spam.

You might be able to ascertain the Internet Protocol (IP) address from an email. You can trace the origin of messages by learning to open headers and finding the IP address. This might sound intimidating, but you can then trace that, unless the IP address is hidden.

Can You Protect Yourself From Email Spoofing?

It can be a frustrating situation to find yourself in, but fortunately, more people recognize email spoofing as a scam, immediately sending such messages to the trash. They do serve as a timely reminder that we always need to keep every aspect of our online lives secure—that means social media feeds, browsers, and your email accounts.