How Cybercriminals Get Your Email Address

How Cybercriminals Get Your Email Address

A client recently called us out of frustration with a phishing email. He demanded to know why we couldn’t stop cybercriminals from emailing him.  He’s tired of worrying about clicking on links and attachments.  He wanted to know how he could keep his email address out of the wrong hands.  Here’s how cybercriminals get your email address.

The sad truth is, if you use email, your address is out there.  Everywhere.  There’s no stopping it.  If you have multiple addresses, those other addresses are out there, too.


There are several ways email addresses escape into the wild, and not all of them are nefarious.  In fact, sometimes you volunteer them.  For example:

  • You send and receive emails every day.
  • You subscribe to useful newsletter and group lists.
  • You post to social media or online lists and include your email address.

Recently, the writer’s site Substack disclosed my company email address to at least 500 people. How? They sent an Outlook email to 500 people (including me) that showed everyone’s email addresses in the “To” line.  Fortunately, they quickly caught the error and sent an apology email (with the addresses hidden).  But the potential damage was done.  Worse, I don’t even remember why Substack had my email in the first place.


Of course, cybercriminals go looking for email addresses, too.  They can research, steal or buy credentials using both high-tech and low-tech methods.

With the right approach, would-be hackers can use open source intelligence to find email addresses. Open source intelligence is data collected from publicly available sources which are usually easily available and legal.

Bad guys also steal email addresses by going phishing.  Sometimes they research the addresses, but often they create a sea of tens of thousands of email addresses and hope to entice someone to “bite” by clicking.

As TechGenix points out, more creative types can even use a company directory of names only (no email addresses) and algorithmically generate probable email addresses for individuals who work for the company. For example:


One of these formats is likely to work, and if not, there are always other formats to test.

The Dark Web is teeming with tools for buying stolen email addresses, along with passwords and other sensitive information.  That’s why it’s important to continuously monitor your credentials on the Dark Web and frequently change your passwords.


While you can’t keep your email address under lock and key, you can defend yourself.

From a technical standpoint, use a combination of different tools to provide layers of security.  At a minimum, deploy regularly-updated anti-virus and anti-malware, email filtering to help keep hazardous emails out, and keep your machines patched.  You can add two-factor authentication, email encryption and other services to further reduce the risk.

To answer our client’s question, unfortunately a few crafty emails will get past even the most sophisticated filters. In those cases, think of yourself as a “human firewall”.  Know how to identify suspicious emails, take advantage of your company’s cybersecurity training and don’t click!

If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.