Help – my email got hacked! No, it probably didn’t

Print Friendly, PDF & Email

A few times each month, I’ll get a phone call or an email from someone who thinks their email account has gotten hacked into. And why do they think that? Because their inbox is filling up with emails that are bouncing back, that say “This email message could not be delivered”. They might get a few of these bounced emails, or a dozen, or even a hundred. At first glance, it looks like all of these emails were sent from this person’s email account. But in most cases, no one has hacked into their email account.

email hack

Let’s say I wanted to send someone an email, and I wanted to make them think it came from someone else. For example, maybe my friend Maria is a big fan of Oprah Winfrey and I want to play a little prank on Maria by sending her an email “from” Oprah Winfrey. Do you know how easy this is to do? Pretty easy.

You do need an email program though, such as Outlook. If you don’t have Outlook, you can use Windows Live Mail (which is free). My email program is Outlook so I will use that for the example screenshots.

If you already use Outlook for your email, it’s already set up with all of your genuine account information – that’s how it’s able to send and receive your email. But for this little trick, you need to go into the email settings and change a few things. The settings window looks like this:

email hack


You can see there are 3 main sections. In order for your email to send and receive properly in your account, the “Server Information” and “Logon Information” sections cannot be changed. However, with few exceptions, you can put whatever you want in the first section, “User Information”.

So if we want to pretend we’re someone else that sent the email, we just change the information in that top section. It might look like this (I don’t actually know Oprah’s email address):

email hack


With those settings in place, I can send out an email to impersonate Oprah. When my friend Maria receives it, she would see something like this:

email hack


If she clicks “Reply”, her Reply email will be addressed to (not to me, even though I actually am the one that sent the email). If the email that I sent bounces, it will bounce back to the “From:” address (not to me, even though I sent it). That’s the important thing to note here – anytime an email bounces, it bounces back to whatever address is listed in the “From:” field.

So with that example in mind, let’s look at how this is used in the real world – by spammers.

A spammer might have a list of a million email addresses that he wants to send to. He wants to send his spam email out to those millions of people, but of course he doesn’t want them to know that HE is the one that sent it. So he puts a different email address in the “From:” field. He might even put YOUR email address as the “From:” address.

See where we’re going with this?

He sends out those million emails, and most of them get delivered to the proper recipient (even if they go to the Spam folder, they at least made it to the right email address). But with that many emails, some of them are going to be outdated or incorrect. So they bounce. And guess where they bounce? You guessed it – they bounce back to the “From:” address, and if that’s your email, they start showing up in your inbox.

That’s how you end up with all those bounced emails in your inbox, that appear to have been sent from you, but they really weren’t. And the spammer didn’t have to hack into your email account in order to make that happen. All he needed was an email address, and he happened to use yours. Bad luck for you, but at least your email account hasn’t been compromised.

It’s like if you mailed out 100 letters by snail mail, and instead of your own address in the top left corner of each envelope, you put your neighbor’s address. If the Post Office returned any of those, they would be returned to your neighbor, not you.

How to verify that your email account is safe: just look in the “Sent” folder and see if any of those bounced emails show up there as actually having been sent from your account. If they aren’t there, your account didn’t send them.

Disclaimer: there are exceptions (although very unlikely) to this explanation. And the scammers and spammers are constantly dreaming up new ways to game the system. But for the most part the scenario I talked about is the most common procedure.

And as always, if your email password consists of one or more pronounceable words, or is easy to remember, it’s going to be easy for the bad guys to guess – so change it to a strong one today!

listen to my podcast in iTunes

Share this post