Have you ever opened a spam mail, which seemed to be the sender's own email? You are not the only one.
Creating email addresses is called spoofing (falsification), it usually has the purpose of spamming or extortion and, unfortunately, there is little that you can do about it.
How spammers fake your email
Spoofing is the act of spoofing an e-mail address so that it appears to be from someone else, and not from the person who sent it. Often, this technique is used to trick you into thinking that the e-mail came from someone you know or from the business you are working in, or from your bank or other financial service.
Unfortunately, email spoofing is incredibly easy. Email systems often do not have security controls in place to ensure that the email address you enter in the 'From:' field really belongs to you. It's more or less like a letter you mail. You can write anything you want in the "Sender" section if you do not care that the post office will not be able to return the letter to you. The post office has no way of knowing if you actually live at the address of the sender you mention in the folder.
E-mail spoofing works similarly. Some online services, such as Outlook.com, pay attention to the "From:" address when sending an email and may prevent you from sending something with a fake address. However, some tools allow you to complete anything you want. It's as easy as setting up your own email server (SMTP). What spammers need is your email address, which they are likely to purchase on the dark web, stemming from some data breach.
Why do scammers forge your address?
Your scammers send emails that appear to come from your address, basically for one of two reasons below. THE first reason is the hope that they will bypass spam protection. They estimate that you probably get used to sending emails to yourself, maybe to remind you of an important event, and you would not want that message to be classified as spam.
So, scammers hope that using your address, your junk mail filters will not stop their message and let it pass. There are tools to detect an email message sent by a domain other than the one that claims to be, but the email provider must implement them and, unfortunately, many do not.
Ο second reason for which fraudsters spoof your email is to gain a sense of authenticity. It is not uncommon for a spoofed email to claim that your account is compromised. That "you sent this email" serves as proof of the hacker's access. They may also include a code or phone number obtained from a violated database as further evidence.
The scammer usually claims to have 'spicy' information about you or pictures taken by your camera while browsing adult websites. It then threatens to deliver the data to your nearest contacts unless you pay ransom. It sounds believable at first. And with a sender you seem to have access to your email account.
What e-mail services do to troubleshoot the problem
The fact that someone can forge an email address so easily is not a new problem. Because email providers do not want to bother you with spam, they have developed tools to combat the problem.
The first was the Sender Policy Framework ή SPF (Sender Policy Box) and works with some basic principles. Each e-mail domain is accompanied by a set of Domain Name System (DNS) system entries that are used for direct traffic to the correct server or host server. An SPF record works with the DNS record.
You may be confused, so let's just say it more simplistically. When you send an email, the download service compares your email domain (eg @ gmail.com) with the source IP and the SPF record to make sure it matches. If you send an email from a Gmail address, this email should also indicate that it is from a Gmail-controlled device.
Unfortunately, only the SPF does not solve the problem. One must keep the SPF records properly in each domain, which is not always the case. It is also easy for fraudsters to deal with this problem. When you receive an e-mail, you may only see a name instead of an e-mail address. Spammers also fill in an email address for the real name and another for the shipping address corresponding to an SPF record. So it will not go to spam.
Companies also have to decide what to do with SPF results. Most of the time, they prefer to let all emails go instead of risking not passing a critical message. The SPF does not have a relevant set of rules with what to do with the information.
To address these issues, Microsoft, Google and other major companies introduced Domain-based Message Authentication, Reporting, and Conformance or abbreviated DMARC (Message validation, reporting and domain-based). It works with the SPF to create rules on what to do with emails that are marked as potential spam.
The DMARC first checks for SPF scanning. If the check fails, it does not let the message pass unless otherwise configured by an administrator. Even if an SPF is passed, the DMARC checks that the email address displayed in the "From:" field corresponds to the domain from which the email originates.
Unfortunately, even with support from Microsoft, Facebook and Google, DMARC is still not widely used. If you have an Outlook.com or Gmail.com address, you are likely to benefit from DMARC. However, until the end of 2017, only 39 from Fortune 500 had implemented this validation service.
What you can do with spam emails that come from you
Unfortunately, there is no way to prevent spammers from violating your address. Hopefully, your email system also applies SPF and DMARC, and you will not see these targeted emails in your inbox. They should go straight to Spam (Spam).
If your email account gives you control over the spam options, you can tighten the rules. Just be aware that you may also lose some genuine messages, so be sure to check the spam folder frequently.
If you get a fake message from yourself, ignore it. Do not click on attachments or links and of course do not pay the required ransom. Just mark it as spam or phishing or delete it. If you are afraid that your accounts have been compromised, close them for security.
If you use the same password with other services, change them and give each service a new unique password. If you do not trust your memory with so many passwords, simply write them to a txt file stored on your computer or use a password manager.
And finally, depending on which email service you are using, learn how to see all the original email with all its details (headers, etc.) so you can see if it is spam or not.
How useful was this post?
Average rating / 5. Vote count: