Guest post by Keenan Conner, TC Technologies | [email protected] | 269-568-8062
TL;DR: If someone is sending emails that look like they came from you or your colleagues, your account probably was not hacked. It is called email spoofing, and it is more common than you think. The good news: your team can learn to spot it, and your domain can be configured to make it much harder to pull off.
If you’ve ever gotten a panicked call from a client, an employee, or even a family member saying “I think my email got hacked” — there’s a good chance what actually happened was far less catastrophic. It’s called email spoofing, and it’s one of the most misunderstood threats hitting small businesses and organizations right now.
We see it constantly. A real estate agent gets a message that appears to be from his business partner — but the sending address is a random Gmail account. A nonprofit board member receives a suspicious email from what looks like the executive director. Two agricultural associations start getting scam emails that seem to come from their own members. In every single case, the first reaction is the same: “We got hacked.”
You almost certainly weren’t. Here’s what’s really going on — and what you can actually do about it.
What Is Email Spoofing?
Email spoofing is when a scammer manipulates the visible “From” name and address in an email to make it look like it came from someone you know and trust. Think of it like putting a fake return address on a paper envelope. The postal service doesn’t verify it — and most email systems don’t automatically verify it either.
The scammer hasn’t touched your email account. They haven’t logged in, they don’t have your password, and your data hasn’t been breached. They’ve simply copied your name — or your colleague’s name — and attached it to their own shady email address. Then they send it out hoping someone doesn’t look too closely at the actual sending address.
“They are preying on people to not see the email address, assume they know the person, and respond — luring them into a conversation with someone they trust.”
Why Does This Keep Happening to Us Specifically?
This is the question we get asked most often, and the answer is uncomfortable but important: your information is public.
Every time your organization publishes a staff directory, a board member list, a membership roster, or a contact page — that data is harvestable. Scammers use automated tools to scrape websites and build target lists. They look for people who know each other, work together, or share an industry. Then they craft emails that look like they came from within that circle of trust.
We’ve seen this hit nonprofits especially hard. When board member names and emails are published publicly for transparency — which is completely reasonable and often required — it creates a ready-made target list. The same goes for agricultural associations, real estate networks, and any industry where members publicly list their affiliations.
“When associations publish their board members and membership email addresses on their website, they are public. It’s common for scammers to send emails spoofing your addresses to each other, as you are likely known associates.”
Your website probably isn’t the only source — LinkedIn, Facebook, press releases, and event programs are all fair game. But if you’re asking where they got your names? Start there.
The Direct Deposit Scam: One of the Most Common Plays
One of the most frequent versions of this scam follows a predictable script. Someone receives an email that appears to be from a coworker, boss, or colleague. The email says something like: “Hey, I changed banks — can you update my direct deposit information?”
This is a social engineering attack. The goal is to get payroll or accounting staff to redirect a real paycheck to a fraudulent account before anyone realizes what happened. It’s devastatingly effective because it doesn’t require any technical hacking — just a believable name and a sense of urgency.
The rule here is simple: Any request involving money, account changes, or sensitive information that comes through email needs to be verified by phone or in person — every single time, no exceptions. Do not reply to the email to confirm. Call the actual person directly.
How to Spot a Spoofed Email
The good news is that spoofed emails almost always give themselves away when you know what to look for. The most reliable tell is the actual sending email address — not just the display name.
In Gmail, click the three-dot menu and select “Show Original” to see full header details. In Outlook, open the email and view the message properties or headers. What you’re looking for is whether the actual sending domain matches the person you think sent it. A spoofed email from your “CEO” might show a display name of John Smith but a sending address of [email protected].
Other red flags to train your team on:
- Urgency around money, passwords, or login credentials
- Requests to bypass normal processes (“don’t go through HR, just send it directly to me”)
- Slight misspellings in the email address or domain
- Receiving an email “addressed to someone else” — a sign the scammer is casting a wide net
What Actually Stops Spoofing at the Technical Level
Here’s where we circle back to the IT side of things. While you can’t stop bad actors from trying to spoof your domain, you can make it dramatically harder — and you can ensure that well-configured email servers (like Google and Microsoft) reject those messages before they ever reach anyone’s inbox.
The three tools that do this are SPF, DKIM, and DMARC. In plain English:
SPF tells the email world which servers are authorized to send mail from your domain. If a message comes from anywhere else, it can be flagged or rejected.
DKIM adds a verified digital signature to your outgoing emails so recipients can confirm they’re genuine and haven’t been tampered with in transit.
DMARC ties it all together. It tells receiving email servers what to do when a message fails SPF or DKIM checks — whether to quarantine it, reject it outright, or simply report it.
If your domain doesn’t have all three configured properly, your email is significantly more vulnerable to being spoofed — and spoofed emails using your domain are more likely to land in inboxes instead of spam folders. Ask your IT provider or email administrator to verify these are in place. It’s one of the highest-value, lowest-cost security improvements available to small businesses.
One more note: not all email providers are equal here. Higher-tier providers like Google Workspace and Microsoft 365 have robust spam detection and filtering built in. Cheaper hosting-bundled email solutions often don’t offer the same level of protection — something worth considering if you’re still on a shared hosting email plan.
The Bottom Line
Email spoofing is not a sign that you were hacked. It’s not a website vulnerability. It’s not a sign that something is wrong with your systems. It’s a sign that your name is known — which, for a functioning business or organization, is unavoidable.
What you can control is how prepared your team is to recognize it, and whether your domain has the right technical safeguards in place to make spoofing harder. Those two things together — staff education and proper email authentication — are your best defense.
“There is no way to prevent them entirely. You’re a business with information available to the public. But you can make your team much harder to fool.”
Frequently Asked Questions
Does email spoofing mean my account was actually hacked?
Almost certainly not. Spoofing means a scammer used your name and email address in a fake message — they never logged into your account, accessed your password, or touched your data. If you want to be sure, check your account for any logins from unfamiliar locations, but in most spoofing cases the account itself is completely untouched.
How do I check whether an email is really from who it claims?
Look at the actual sending address, not just the display name. In Gmail, click the three-dot menu and choose “Show Original.” In Outlook, view the message properties or headers. The real sending domain should match the person or organization you expect. If it doesn’t — even if the display name looks right — treat the email as suspicious.
What are SPF, DKIM, and DMARC -- and do I need all three?
Yes, you need all three working together. SPF tells the email world which servers are allowed to send on behalf of your domain. DKIM adds a cryptographic signature to your outgoing mail so recipients can verify it wasn’t tampered with. DMARC tells receiving servers what to do when a message fails those checks — reject it, quarantine it, or flag it. Without all three configured correctly, your domain is much easier to spoof.
What should I do if I get a suspicious direct deposit or payment request by email?
Do not reply to the email. Call the person directly using a phone number you already have on file — not one provided in the email. Any request to change bank account information, redirect payments, or update payroll details should be verified by a separate communication channel every single time, no exceptions. This one habit alone can prevent costly fraud.
Can spoofing be stopped completely?
Not entirely — but it can be made significantly harder. Proper SPF, DKIM, and DMARC configuration will cause well-configured email servers like Google and Microsoft to reject or filter spoofed messages before they reach inboxes. Staff training is the other half of the equation. Together, these two layers make your organization a much harder target.
