Have you ever opened a spam mail, which seemed to be the sender's own email? You are not the only one.
Creating email addresses is called spoofing (falsification), it usually has the purpose of spamming or extortion and, unfortunately, there is little that you can do about it.
How spammers fake your email
Spoofing is the act of spoofing an e-mail address so that it appears to be from someone else, and not from the person who sent it. Often, this technique is used to trick you into thinking that the e-mail came from someone you know or from the business you are working in, or from your bank or other financial service.
Unfortunately, email spoofing is incredibly easy. E-mail systems often do not have security controls to ensure that the email address you type in the From: field actually belongs to you. It is more or less like a letter you give to the post office. You can write anything you want in the "Sender" section if you do not care that the mail will not be able to return the letter to you. The mail has no way of knowing if you really live in the sender's address where you refer to the envelope.
Email spoofing works similarly. Some online services, like Outlook.com, pay attention to the "From:" address when you send an email and can prevent you from sending something with a fake address. However, some tools allow you to fill in anything you want. It's as easy as creating your own email server (SMTP). What spammers need is your email address, which they are likely to buy in the dark web, coming from a data breach.
Why do scammers forge your address?
Your scammers send emails that appear to come from your address, basically for one of two reasons below. THE first reason is the hope that they will bypass spam protection. They estimate that you probably get used to sending emails to yourself, maybe to remind you of an important event, and you would not want that message to be classified as spam.
So, scammers hope that using your address, your junk mail filters will not stop their message and let it pass. There are tools to detect an email message sent by a domain other than the one that claims to be, but the email provider must implement them and, unfortunately, many do not.
Ο second reason for which fraudsters falsify your email address is to get a sense of authenticity. It's not unusual for a forged e-mail to claim that your account is at stake. The fact that "you sent this email" serves as evidence of "hacker" access. It may also include a code or telephone number obtained from an infringed database as a further proof.
The scammer usually claims he has "spicy" information about you or the images he shot from your camera while you were looking for adult websites. Then he threatens to deliver the data to your nearest contacts unless you pay a ransom. It sounds initially believable. And with a sender you seem to have access to your email account.
What e-mail services do to troubleshoot the problem
The fact that someone can forge an email address so easily is not a new problem. Because email providers do not want to bother you with spam, they have developed tools to combat the problem.
The first was the Sender Policy Framework ή SPF (Sender Policy Box) and works with some basic principles. Each e-mail domain is accompanied by a set of Domain Name System (DNS) system entries that are used for direct traffic to the correct server or host server. An SPF record works with the DNS record.
You may be confused, so let's just say it more simplistically. When you send an email, the download service compares your email domain (eg @ gmail.com) with the source IP and the SPF record to make sure it matches. If you send an email from a Gmail address, this email should also indicate that it is from a Gmail-controlled device.
Unfortunately, only the SPF does not solve the problem. One must keep the SPF records properly in each domain, which is not always the case. It is also easy for fraudsters to deal with this problem. When you receive an e-mail, you may only see a name instead of an e-mail address. Spammers also fill in an email address for the real name and another for the shipping address corresponding to an SPF record. So it will not go to spam.
Companies also have to decide what to do with SPF results. Most of the time, they prefer to let all emails go instead of risking not passing a critical message. The SPF does not have a relevant set of rules with what to do with the information.
To address these issues, Microsoft, Google and other major companies introduced Domain-based Message Authentication, Reporting, and Conformance or abbreviated DMARC (Message validation, reporting and domain-based). It works with the SPF to create rules on what to do with emails that are marked as potential spam.
The DMARC first scans the SPF scan. If the check fails, it does not allow the message to pass unless otherwise configured by an administrator. Even if an SPF passes, DMARC checks that the e-mail address that appears in the From: field matches the domain from which the e-mail comes from.
Unfortunately, even with support from Microsoft, Facebook and Google, DMARC is still not widely used. If you have an Outlook.com or Gmail.com address, you are likely to benefit from DMARC. However, until the end of 2017, only 39 from Fortune 500 had implemented this validation service.
What you can do with spam emails that come from you
Unfortunately, there is no way to prevent spammers from violating your address. Hopefully, your email system also applies SPF and DMARC, and you will not see these targeted emails in your inbox. They should go straight to Spam (Spam).
If your email account gives you control over the spam options, you can tighten the rules. Just be aware that you may also lose some genuine messages, so be sure to check the spam folder frequently.
If you get a fake message from yourself, ignore it. Do not click on attachments or links and of course do not pay the required ransom. Just mark it as spam or phishing or delete it. If you are afraid that your accounts have been compromised, close them for security.
If you use the same password with other services, change them and give each service a new unique password. If you do not trust your memory with so many passwords, simply write them to a txt file stored on your computer or use a password manager.
And finally, depending on which email service you are using, learn how to see all the original email with all its details (headers, etc.) so you can see if it is spam or not.