Email Spoofing: When the Message in Your Inbox Comes from You

Email spoofing

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

August 7, 2025

This topic reminds me of that 1979 horror movie with the famous line, “The call is coming from inside the house!”  Yesterday during a weekly meeting, all 3 attendees (including me) shared that we had recently received emails addressed to ourselves. This wouldn’t be the first time any of us had experienced this, but it did feel like a sudden onslaught.

This is one part of a phishing tactic known as spoofing where the scammer “spoofs”, or fakes, the From: address in the hopes you’ll be more likely to open the email. (In this version, the address they use is your own.) In the message body you may find instructions to click a link, open an attachment, or scan a QR code. Following their instructions often does one of two things: Downloads malware or a virus on your computer, or takes you to a website that asks for your login credentials so they can steal them. Alternatively, the message may simply contain the threat that “you’ve been hacked” and instructions on what to do next (pay a ransom, for example).

Here’s what mine looked like (as you can see, mine was fortunately caught by our email security software INKY and automatically moved to my Junk folder):

 

 

Spoofed message

 

So let’s talk about why this happens, and what you should (and shouldn’t do) if it happens to you.

Why this tactic often works

So, how did this message appearing to be from you end up in your Inbox in the first place?  And why would you even open it if you know you didn’t send anything to yourself?

  • How did this message get here? Well, your own (seemingly legitimate) email address can bypass most email platform’s standard security measures, which is why the hacker chose it.
  • Why would I bother opening it? If the message subject (or preview) claims you’ve been hacked, using your own address makes it more likely you’ll follow the instructions inside. After all, if a scammer has your address and is sending from it, your account MUST have been compromised, right?

For the record, it is NOT true that you’ve definitely had your account hacked. Email addresses can easily be found in many places legitimately and otherwise. And spoofing email addresses (i.e., replacing the actual From: address with a different one) is unfortunately quite easy to do. Just because someone knows your address does not mean they have access to the contents of your mailbox. However, if you fall for the message instructions to “click this link”, open an attachment, or scan a dangerous “QR code”, you may just be the one giving them the access you assumed they already had!

What to do to combat the issue

When dealing with all potential phishing messages, including spoofed email, it’s important to follow these steps to ensure your security:

My usual advice

I’ve said it many times before, and I’ll say it again: When it comes to anything online, always maintain a healthy level of skepticism. In a world filled with spammers, hackers, and other online troublemakers, this is the best advice you can follow. While I try hard not to let this mindset affect my behavior IRL (as the kids say), I am extremely cautious when it comes to the messages I receive online. And I recommend you adopt the same approach!

 

 

For over forty years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!

 

You May Also Like…

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Translate »
Share This
Subscribe