In most cases, receiving a scam email that appears to be from your own address does not mean you have been hacked. Instead, scammers use a technique called spoofing to forge the "From" field in an email header to make it look legitimate in order to trick you.
How Spoofing Works
Email protocols (like SMTP) were originally designed without strong sender verification. This allows scammers to:
- Forge the "From" address: Scammers can manually input any address into the sender field, similar to writing a fake return address on a physical envelope.
- Bypass filters: Emails from "yourself" are less likely to be flagged by basic spam filters.
- Create panic: These are often used in "sextortion" or "hacking" scams, where the scammer claims to have access to your account as proof of their threat.
If You Were Actually Hacked
To confirm your account's security, take these immediate steps:
- Check your "Sent" folder: If the email is not in your Sent folder, it was likely spoofed and not sent from your actual account.
- Review login activity: Most providers (like Microsoft or Google) allow you to view a history of devices and locations that have logged into your account.
- Inspect email headers: View the "message source" or headers to see the true originating IP address and server, which will differ from your own.
Recommendation
- Do not interact: Never click links, open attachments, or reply. Replying confirms your email address is active, which can lead to more spam.
- Report as spam: Use your email provider's "Report Spam" or "Report Phishing" button. This helps their filters learn to catch these spoofed messages.
- Strengthen security: Even if you haven't been hacked, use this as a reminder to:
- Change your password to something strong and unique.
- Enable Two-Factor Authentication (2FA) for an extra layer of protection.
- Ignore threats: If the email claims to have compromising videos or access to your webcam (sextortion), it is almost certainly a bluff. Delete it and move on.