(Unless you know you sent them to yourself, that is!)
Earlier today I got an email from a client claiming that his email had been hacked. That obviously worried me, so I jumped into action to investigate. It turned out that he hadn’t been hacked, but rather been “spoofed”.
It’s a common technique of spammers and hackers to mess with outgoing email headers to make it seem like an email is coming for your own account. Generally these emails will have an attachment (which you should never open) and not much else.
Natural curiosity means that you’ll want to open it, or at least investigate it, especially if somehow you think you sent the file to yourself. More than likely, these hackers are hoping that you did recently send a file to yourself, and you confuse the real one with their virus. It’s a long shot, but 1 in 1000 sent a couple million times is a pretty good take.
Real World Example
Check out this email:
Weird, I didn’t send that. So I open it:
What in the world? I don’t remember sending this to myself. But it says it’s from me.
How I Did It
It’s an incredibly simple thing to do. When talking about sending emails programmatically, programmers have full control over all of the superficial headers that get placed on the email. Here’s my code:
<?php $headers = 'From: firstname.lastname@example.org' . "\r\n" . 'Reply-To: email@example.com' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); $send = mail('firstname.lastname@example.org', 'See, I can pretend to be anyone!', 'But headers never lie! Always check the headers or better yet, delete emails you know you did not send!', $headers);
But having full control does not mean that your email server won’t be able to tell a fake from a real email, and almost always does.
No, you’re not going crazy, you didn’t forget about an email you sent yourself. Hackers are giving you a bait-and-switch hoping you’re having an off day and willing to click an email that appears to be from yourself.
But look again at the headers on the programmatic email I sent, and compare it to an email I actually sent myself:
Notice anything different between the two? One set off a bunch of red flags, the real one did not.
Be safe, and always be careful with email!