Why am I getting spam from my own email account?

The simple answer:  You probably aren’t.  

The scenario is playing itself out in more and more e-mailboxes these days.  You’re going through your inbox one day and you notice an email from your own address. You’re confused. Maybe you CC’d yourself on an earlier email you think?  Then you see the subject line:  “Apply for online position” or “Take a look at these pics” or something about “Viagra”.  You’re heart skips a beat. You know you didn’t send the email so you come to the next logical conclusion:  someone else sent the email from your account.  You start sweating.  You scan the office to see if your co-workers are looking at you with suspicion.  “Oh no!“, you think, “I’ve been hacked and everyone in my address book is getting emails from me about Viagra!”

Ok.  Slow down.  It’s probably not as bad as you think.  With all the news about hacking these days, it’s understandable that seeing an email from yourself that you did not send would start setting off alarm bells. But fortunately it’s not the only explanation, nor is it the most likely.  Chances are your email address has been “spoofed”.

Email Spoofing? 

Yes, it’s a silly name for an annoying spam epidemic but for all intents and purposes, think of it as forgery.  Spammers are very good at exploiting loopholes in the various security measures email providers use to safeguard user mailboxes.  But spam filtering and protection has been getting better and better over the years.  Your emails are evaluated based on known spam subject lines, phrases, senders, servers, etc, and anything suspicious is often either flagged and dumped into your junk fail folder, or blocked outright at the mail server.

So how is the resourceful spammer to get his/her malicious emails into your mailbox? Well, it’s complicated but to put it simply, by pretending to be you.  There are currently no widely used security protocols in place to ensure that the email address in the FROM field of an email is legitimate.  It can be anything, including the same as the recipient email address. Well, most spam filters will not block emails to you from your own address, partly because that would interfere with users’ ability to CC themselves on email threads. So the resourceful spammer will send an email to a user and he will fraudulently enter that user’s email address in the FROM field as well as the TO field, a method of spoofing known as “self-sending spam”.  And voila.  The email shows up in your inbox, or if you have more advanced spam controls in place, your junk mail folder.  So even though the email has your address in the FROM field, it was not sent from your email account AND it was not sent to anyone in your address book.  You are the intended recipient.

What Can I Do?

Not much.  Email spoofing and especially “self-sending spam” is rampant these days and until commonly used email security protocols are strengthened, it will continue to be a nuisance but not a cause for alarm.  Spam filtering is starting to catch up with the problem, which means more of these emails are going straight to junk mail rather than clogging your inbox.  So the best thing to do is to stay informed and keep an eye on your inbox.

Red Flags

While email spoofing is much more likely than an account breach, If you learn that others are receiving spam emails from you, contact your IT professionals immediately.  Spam emails originating from your account and being sent to outside recipients could indicate a security breach should be investigated and resolved immediately.

Furthermore, while the form of spoofing known as “self-sending spam” (where the recipient and sender are the same) is not a cause for alarm, there are more malicious forms of email spoofing, where the FROM address is forged to appear to be from a legitimate source such as a bank or government institution. For this reason, users should always approach such emails with caution: do not download or open files or links from unknown senders and if there is any doubt of the veracity of the sender, contact the company directly by phone.

Sharing is caring!