When you write a letter in real life, there’s nothing stopping you from putting any return address you want on the top of the envelope to potentially mislead the recipient as to its origins. In theory, that’s a security hole that email is not supposed to have; when you send an email to someone, the address you sent it from is attached to it automatically, and you’re not given the option to edit or alter this information.

Unfortunately, that’s not exactly true. A hacking technique called “spoofing” does indeed make it possible for emails to appear to be coming from one address while actually being sent from another. Hackers use this technique to lull recipients into a false sense of security with a sender address that appears to be familiar and legitimate. The emails that they send generally either contain an attachment with malware, or will attempt to cause the recipient to click on a link in the email body that leads to an attack page that attempts to force malware onto the computer.

How Spoofing Works

Individual domains vary in their sophistication and security when it comes to protecting against spoofed and spammed emails. When a hacker finds a domain that isn’t properly protected, they can very easily alter emails sent from anywhere to appear to be coming from an email address at that domain. What’s worse, if they are using a legitimate email address recognized by the domain’s mail server, the domain may automatically attach things like profile pictures to make the email look even more legitimate even though it never actually passed through that account.

If you receive a spoofed email, it doesn’t necessarily mean the sender’s email account has been hacked — but it does mean the hacker knows something about you. While the hacker may have done research to personally target you, there are also malware “worms” that will rifle through address books once installed and automatically try to spoof emails from one listing in them to another.

How To Stop Spoofed Emails

One of the big problems with spoofed emails is that you can’t rely on spam filters and similar automated tools to stop them. If a hacker manages to spoof an address that your email client already trusts, it’s extremely likely to make it through to your inbox even if you have excellent spam and virus protection.

Familiarity with the behavior of your contacts is the biggest factor in spotting something hinky. Did they send you an email with a weird title, for example? Or did they send you an attachment when you weren’t expecting one? How about if they start asking for money out of the blue? Or if they seem to really want you to follow a link to something in the body of an email? These are all red flags that it’s not your friend or associate at the other end, but a hacker who has managed to spoof their account.

The first step in spoofing protection is in understanding how hackers will try to attack you. Unless you have your email account set to automatically download or execute attachments, you can’t be hit with malware just by opening and reading the text in an email. For their attack to work, they need you to either open an attachment or follow a link to an attack site. If you weren’t expecting a file attachment from someone, call or contact them on instant messaging or social media first to verify before downloading it, or send them an email about it by opening a new message and manually entering their address from your contacts list (autocomplete is OK, just don’t hit “reply” to the suspected message).

The second step is in learning how to check email headers. Though spoofers can fake the “sent from” address, they can’t fake the unique IP address that each email account sends from. This is a series of four groups of digits separated by dots — for example, 12.34.56.78 would be what an IP address looks like. Match the IP address seen in the suspected message to the ones seen in previous legitimate messages from your contact. Now, this isn’t foolproof, as some people have “dynamic” IP addresses that change periodically. However, they will still likely be coming from the same general geographical area. You can check this by entering it at a site like IP Location. If your contact is in California and the suspect email came from Romania, it’s safe to assume it’s bogus.