Why Contact Pictures in Your Email Address Book Can Be Dangerous

The Internet Patrol - Patrolling the Internet for You

It’s kind of fun to see a friend’s smiling face as their email address picture when you open an email from them. But there is a little-known danger to having a contact picture associated with someone who sends you email: those contact images are displayed even if the email is from someone who has hijacked your friend’s email address, which happens all the time with phishing, scamming and spamming. Note that we aren’t talking about your friend’s email account being hacked; we are talking about someone merely using your friend’s email address as their own return address. It’s called “spoofing”, and any scammer or spammer can put your friend’s email address as their own “from” address. What this means is that any scammer can send you email “from” your friend’s email address, and your email program will display the address book picture you have set as the contact image.

Many, if not most, people, seeing their friend’s image in that email, will have a false sense of security that the email really is from their friend. It’s as if the address book image being present in the email somehow proves it’s really from their friend; subconsciously, when we see our friend’s image in email that claims to be from them, we think that it authenticates the email, somehow proving that it is really from them, which in turns means that we get careless about opening links or attachments that come in that email.


Well, that image doesn’t actually prove anything other than that your email program associates that image with that “from” address. And here are real-life examples to prove it.

This is our friend:

image-for-spoof-article

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

 

Let’s call her Susan, for the sake of this article. We have Susan in our email address book (both Mac, and Android):

Mac address book:

address-book-image

 

 

Android address book:

 

android-contact-image

 

When Susan sends us an email, this is what we see at the top of the email:

 

Mac email program:

 

mac-email-address-book-image

 

Android email:

 

android-address-book-image

 

Now, we asked a few of our more techie friends to pretend they were Susan – to spoof her email address – and send us email.

Check it out – each of these below emails are spoofs, each sent by a different person. Susan did not send these – someone pretending to be her, and using her email address, did:

 

spoofed-message-a

 

spoofed-mail-b

 

spoofed-email-c

 

In the case of the last one, they didn’t even spoof their name – they used their real name, but Susan’s email address, and our email program still displayed Susan’s picture.

So what is the lesson here? The lesson is that you should *always* question any incoming email that has an attachment, or contains a link, before opening the attachment or clicking on the link, even if the email comes “from” a friend. And that the image of your friend’s face in that email doesn’t mean anything in terms of whether the email is really from your friend or not.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

3 thoughts on “Why Contact Pictures in Your Email Address Book Can Be Dangerous

  1. Very useful. I don’t associate pictures with senders anyway – but who knows I might have done sometime in the future. Forewarned is forearmed. Thanks Anne

  2. Ted, it is a problem on smart phones as well; the Android images came from an Android phone.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.