Did you ever open an email to determine that it is spam or blackmail that appears to come from your own email address? You're not alone. Counterfeiting of e-mail addresses is called spoofing, and unfortunately you can do little about it.
How spammers forge your email address
Spoofing is faking an email address from someone other than the person who sent it. Often, spoofing is used to believe that an email comes from someone you know or from a company you work with, such as a bank or other financial service provider.
Unfortunately, e-mail spoofing is incredibly easy. Email systems often do not have a security check to make sure that the email you enter in the From field really belongs to you. It's like an envelope you put in the mail. You can write anything you want in the return address field if you do not want the post office to return the letter to you. The post office also has no way to know if you really live at the sender address given on the envelope.
Counterfeiting of e-mails works similarly. Some online services, such as Outlook.com honor the sender's address when you send an e-mail, and may prevent you from sending a fake address. However, with some tools, you can enter anything you want. It's as easy as creating your own e-mail server (SMTP). All that a cheater needs is your address, which he is likely to acquire in one of many privacy breaches.
Why do scammers fake your address?
Scammers send you emails that seem to come from your address for two reasons: general. The first is in the hope that they will bypass your spam protection. If you send yourself an email, you are probably trying to remember something important and do not want this message marked as spam. Scammers therefore hope that your spam filters will not notice anything and their message will be leaked by using your address. There are tools to identify an e-mail sent from a domain other than the one specified, but your e-mail vendor must implement it – and unfortunately many do not.
The second reason why scammers fake your email address is to gain a sense of legitimacy. It's not uncommon for a fake email to claim that your account is compromised. The "You have sent this e-mail yourself" serves as proof of the hacker's access. You can also include a password or phone number that was taken from a corrupted database as further evidence.
The cheater usually claims to have dangerous information about you or pictures from your webcam. He then threatens to forward the data to your closest contact unless you pay a ransom. That sounds credible at first; Finally, they seem to have access to your email account. But that's what it's about – the cheater feigns evidence.
What e-mail services do to tackle the problem
The fact that anyone can easily fake an email address is not a new problem. Because email providers do not want to bother you with spam, tools have been developed to tackle the problem.
The first was the Sender Policy Framework (SPF), which works on a few basic principles. Each e-mail domain contains a set of Domain Name System (DNS) records that direct traffic to the right hosting server or computer. An SPF record works with the DNS record. When you send an e-mail, the receiving service compares your specified domain address (@ gmail.com) with your source IP and SPF record to make sure they match. If you're sending an email from a Gmail address, this email should also say it's from a Gmail-powered device.
Unfortunately, SPF alone does not solve the problem. Someone needs to properly manage SPF records in each domain, which is not always the case. It is also easy for fraudsters to get around this problem. If you receive an e-mail, you may see only a name instead of an e-mail address. Spammers enter an e-mail address for the actual name and another for the sender address that matches an SPF record. So you will not consider it spam and SPF will not.
Businesses must also decide what to do with SPF results. Most of the time they settle for letting e-mails through instead of risking that the system will not send important messages. SPF has no rules on how to handle the information. It only provides the results of a review.
To address these issues, Microsoft, Google and others have introduced the domain-based DMARC (Message Authentication, Reporting and Conformance) review system. It works with SPF to create rules for handling emails identified as potential spam. DMARC first checks the SPF scan. If this fails, the message will not be forwarded unless otherwise configured by an administrator. Even if an SPF succeeds, DMARC verifies that the email address specified in the From: field matches the domain that originated the email (this is called alignment).
DMARC is not widely used yet. If you have an Outlook.com or Gmail.com address, you probably benefit from DMARC. By the end of 2017, however, only 39 Fortune 500 companies had implemented the validation service.
What You Can Do About Self Addressed Spam
Unfortunately, there is no way to prevent spammers from forging your address. Hopefully, the e-mail system you use will implement both SPF and DMARC, and you will not see these targeted emails. You should switch to spam immediately. If you have control over the spam options in your email account, you can tighten it. Note, however, that you may also lose some legitimate messages. Check your spam box frequently.
If you receive a fake message from yourself, ignore it. Do not click on attachments or links and do not pay a requested ransom. Just tag it as spam or phishing or delete it. If you are worried that your accounts have been compromised, lock them for security. If you're reusing passwords, reset them for each service sharing the current one and give each one a new, unique password. If you do not trust your store with so many passwords, we recommend using a password manager.
If you're concerned about receiving fake emails from your contacts, it may also be worth your while to learn how to read e-mail headers.