It’s kind of fun to see a friend’s smiling face as their email address picture when you open an email from them. But there is a little-known danger to having a contact picture associated with someone who sends you email: those contact images are displayed even if the email is from someone who has hijacked your friend’s email address, which happens all the time with phishing, scamming and spamming. Note that we aren’t talking about your friend’s email account being hacked; we are talking about someone merely using your friend’s email address as their own return address. It’s called “spoofing”, and any scammer or spammer can put your friend’s email address as their own “from” address. What this means is that any scammer can send you email “from” your friend’s email address, and your email program will display the address book picture you have set as the contact image.
Many, if not most, people, seeing their friend’s image in that email, will have a false sense of security that the email really is from their friend. It’s as if the address book image being present in the email somehow proves it’s really from their friend; subconsciously, when we see our friend’s image in email that claims to be from them, we think that it authenticates the email, somehow proving that it is really from them, which in turns means that we get careless about opening links or attachments that come in that email.
Well, that image doesn’t actually prove anything other than that your email program associates that image with that “from” address. And here are real-life examples to prove it.
This is our friend:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Let’s call her Susan, for the sake of this article. We have Susan in our email address book (both Mac, and Android):
Mac address book:
Android address book:
When Susan sends us an email, this is what we see at the top of the email:
Mac email program:
Android email:
Now, we asked a few of our more techie friends to pretend they were Susan – to spoof her email address – and send us email.
Check it out – each of these below emails are spoofs, each sent by a different person. Susan did not send these – someone pretending to be her, and using her email address, did:
In the case of the last one, they didn’t even spoof their name – they used their real name, but Susan’s email address, and our email program still displayed Susan’s picture.
So what is the lesson here? The lesson is that you should *always* question any incoming email that has an attachment, or contains a link, before opening the attachment or clicking on the link, even if the email comes “from” a friend. And that the image of your friend’s face in that email doesn’t mean anything in terms of whether the email is really from your friend or not.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Very useful. I don’t associate pictures with senders anyway – but who knows I might have done sometime in the future. Forewarned is forearmed. Thanks Anne
Ted, it is a problem on smart phones as well; the Android images came from an Android phone.
I wonder if this is also a problem on “Smart” phones.