Spoofed E-mails or Hacked E-mail Account?

Frequently we receive inquiries from clients who are concerned about an email reported to them by a friend, colleague or other contact in their address book. Other times, you may receive an email sent to you and possibly a few others from someone you know with a link to click on, an advertisement for Viagra, or a sad story about them being in another country and lost all their money and identification and just need a quick loan that they promise to pay back as soon as they return to the country.  First of all, if you get emails such as this, do not reply or click the links. That will only tell the spammer that you're a real person who reads your email, and thus makes your email address valuable to be sold to other spammers.


Lets dig into what these emails are and how they are being sent. There are three ways the spammer is sending out the email; they've either hacked the e-mail account or they're spoofing the person's email address, name, or both.


  1. Hacked E-mail Account
    If the user has been "phished", they may have unknowingly provided their e-mail address and password to login to the e-mail account to the spammer. There are many ways spammers trick people into sharing their email address and password.  The most common way is setting up a login page that look exactly like the login page the users normally uses to get into their email. Then the spammer sends the user a message about their mailbox being full, their invoice being unpaid, their account needing "confirmation", or any other tacit to trick the user into clicking the link to this fake login page. If the user was not phished, they may have accidentally visited a malicious website that stole the login credentials from their computer or put keystroke monitoring software on their computer. Last, the email server itself may have been hacked and the password of all the email users were stolen by the hacker.

    Once the spammer has the user's login credentials for their email address, it's as simple as plugging those into their custom script that logs into the user's email account, selects people from their contact list / address book or recent contact history, and then starts sending the spam messages. Normally, when this happens, the user will see the spam messages in their "Sent Items" folder, unless the hacker took extra measures to delete these.

    The resolution for stopping the spam in the case of a hacked e-mail account is to have the user change their e-mail account password; reminding them to ensure they use a secure password and urge them to use a different password for each online account / website. When people use the same password for other websites they visit, the hacker might be able to hack the website of "Small Company A" and get your password and if it's the same password you use for your e-mail, then the spammer has all he needs.

  2. Spoofed E-mail Address
    Another way spammers send out these messages is by spoofing the user's e-mail address. The e-mail may appear to be coming from your friend's email address, but if you inspect the headers of the email, you'll see that the sending mail server does not match the same sending mail server that your friend normally emails you from. The easiest way to determine this is to lookup the IP address of the sending email server.  If it's in another country, then you know the e-mail address has been spoofed. Enterprise e-mail systems, such as our Microsoft Exchange e-mail hosting service, have measures in place to check for spoofed e-mail and either block them or place them in your "Junk E-Mail" folder, assuming the user's e-mail service provider setup the correct SPF records on their end (which most legitimate e-mail service providers do).

  3. Spoofed First/Last Name
    The last way spammers send these messages is by spoofing the user's name.  The e-mail might say it's from your friend, "John Smith", but if you look at the e-mail address it was actually sent from, it is not the real e-mail address of your friend and is instead some other e-mail address you don't recognize.


In methods #2 and #3, the spammer usually has had access to the user's e-mail account via method #1 and downloaded a copy of the user's contact list / address book or recent contact history and stored them for later use or sold them to a spammer. Unfortunately, once the spammer has the user's name and a list of their friends and colleagues, they can continue to send out the spam to those friends and colleagues by using methods #2 and #3 for the rest of eternity, since they only needed that one-time access to the user's email account to gather the data.


In summary, here are some steps you can take to prevent this from happening to you:

  • Use a secure password for your e-mail account and don't use that password for anything else.
  • When you login to your e-mail account, go directly to the e-mail service provider's website. Don't do a search for them and then click one of the links in the search results (which could be a link to a phishing page).
  • NEVER click links in e-mails. If you get an e-mail from your bank asking you to login to your account, then do so by manually typing their website in your browser instead of clicking the link.
    If you must click a link in an e-mail, right-click on the link and select "Copy Hyperlink" / "Copy Shortcut" and then paste it into your browser, to be sure you're going to the page you expected (sometimes hyperlinks as masked to look like another link).
  • NEVER reply to the spammers or click 'unsubscribe' links in e-mails from non-reputable companies; that just tells them they got "a live one" and they'll start selling your address to their spammer buddies!
  • If you suspect your computer has been compromised, change your e-mail password immediately and call our Help Desk to have a free computer diagnostics check done on your computer to check for any malicious software that may have been placed on your system.