This topic reminds me of that 1979 horror movie with the famous line, “The call is coming from inside the house!”  Yesterday during a weekly meeting, all 3 attendees (including me) shared that we had recently received emails addressed to ourselves. This wouldn’t be the first time any of us had experienced this, but it did feel like a sudden onslaught.

This is one part of a phishing tactic known as spoofing where the scammer “spoofs”, or fakes, the From: address in the hopes you’ll be more likely to open the email. (In this version, the address they use is your own.) In the message body you may find instructions to click a link, open an attachment, or scan a QR code. Following their instructions often does one of two things: Downloads malware or a virus on your computer, or takes you to a website that asks for your login credentials so they can steal them. Alternatively, the message may simply contain the threat that “you’ve been hacked” and instructions on what to do next (pay a ransom, for example).

Here’s what mine looked like (as you can see, mine was fortunately caught by our email security software INKY and automatically moved to my Junk folder):

So let’s talk about why this happens, and what you should (and shouldn’t do) if it happens to you.

Why this tactic often works

So, how did this message appearing to be from you end up in your Inbox in the first place?  And why would you even open it if you know you didn’t send anything to yourself?

• How did this message get here? Well, your own (seemingly legitimate) email address can bypass most email platform’s standard security measures, which is why the hacker chose it.
• Why would I bother opening it? If the message subject (or preview) claims you’ve been hacked, using your own address makes it more likely you’ll follow the instructions inside. After all, if a scammer has your address and is sending from it, your account MUST have been compromised, right?

For the record, it is NOT true that you’ve definitely had your account hacked. Email addresses can easily be found in many places legitimately and otherwise. And spoofing email addresses (i.e., replacing the actual From: address with a different one) is unfortunately quite easy to do. Just because someone knows your address does not mean they have access to the contents of your mailbox. However, if you fall for the message instructions to “click this link”, open an attachment, or scan a dangerous “QR code”, you may just be the one giving them the access you assumed they already had!

What to do to combat the issue

When dealing with all potential phishing messages, including spoofed email, it’s important to follow these steps to ensure your security:

• Use AI-powered email security tools like INKY or Norton Genie. If your organization doesn’t already use one of these tools, perhaps it’s time to bring it up to your IT team!
• Avoid opening suspicious emails. Simply forward or drag the message to your Junk/Spam or Delete folder and move on.
• Do not click on links or scan QR codes if you do open the email.
• Forward the message to your IT team with an explanation so they can investigate. (Automated “report junk” links won’t work because you’d be reporting your own address.)
• Follow any instructions from your IT team, such as scanning for malware or viruses, changing your password, or setting up two-factor authentication (2FA) if they suspect your account has been compromised.
• Forward the email to the Anti-Phishing Working Group at mailto:re************@**wg.org” data-original-string=”ywzGqFmjFCuvjdN+jTD5Zw==bdbSPOmk0LSjiidxtHTcutyCv5RbsHK1JkhdProiWhdRT433jmWToIXPOoFG+ilGfEWTfDROBcWKr4Q5i1thGsymkIjMxQC1Z5iNtjVKf33S8MFc3cvJ8vy4l11cGXXrLQ09IkZBOpCC+ScuAnPEhMi8bMMPkHYefRzE6az0z0z0OmoQlO0lJYyB2RUC1pQxpOIzSOpROQuuS6U7tQvTCTuHjYHDxwT1rgl3LgSAHqXNYC6Lf7zH9+zt+8LylxcWZnSW+rv7IRmKnGlB+cK0F438A+fDe7+IgipWQ4zruOrCqM=” title=”This contact has been encoded by Anti-Spam by CleanTalk. Click to decode. To finish the decoding make sure that JavaScript is enabled in your browser., an international consortium that collects and analyzes phishing reports to help identify and stop future attacks.
• In the US, report the scam to the FTC at ftc.gov.  If you are outside the United States, you can look up which government organization phishing or other cybercrimes should be reported to.

My usual advice

I’ve said it many times before, and I’ll say it again: When it comes to anything online, always maintain a healthy level of skepticism. In a world filled with spammers, hackers, and other online troublemakers, this is the best advice you can follow. While I try hard not to let this mindset affect my behavior IRL (as the kids say), I am extremely cautious when it comes to the messages I receive online. And I recommend you adopt the same approach!

For over forty years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!