How Cybercriminals Get Your Email Address

How Cybercriminals Get Your Email Address

A client recently called us out of frustration with a phishing email. He demanded to know why we couldn’t stop cybercriminals from emailing him.  He’s tired of worrying about clicking on links and attachments.  He wanted to know how he could keep his email address out of the wrong hands.  Here’s how cybercriminals get your email address.

The sad truth is, if you use email, your address is out there.  Everywhere.  There’s no stopping it.  If you have multiple addresses, those other addresses are out there, too.


There are several ways email addresses escape into the wild, and not all of them are nefarious.  In fact, sometimes you volunteer them.  For example:

  • You send and receive emails every day.
  • You subscribe to useful newsletter and group lists.
  • You post to social media or online lists and include your email address.

Recently, the writer’s site Substack disclosed my company email address to at least 500 people. How? They sent an Outlook email to 500 people (including me) that showed everyone’s email addresses in the “To” line.  Fortunately, they quickly caught the error and sent an apology email (with the addresses hidden).  But the potential damage was done.


Of course, cybercriminals go looking for email addresses, too.  They can research, steal or buy credentials using both high-tech and low-tech methods.

With the right approach, would-be hackers can use open source intelligence to find email addresses. Open source intelligence is data collected from publicly available sources which are usually easily available and legal.

Bad guys also steal email addresses by going phishing.  This could take the form of an email with a dangerous link or even a fake sign-up form.  Sometimes they research the addresses, but often they create a sea of tens of thousands of email addresses and hope to entice someone to “bite” by clicking.  The widespread use of AI only makes this easier.

More creative types can even use a company directory of names only (no email addresses) and algorithmically generate probable email addresses for individuals who work for the company. For example:


One of these formats is likely to work, and if not, there are always other formats to test.

In addition, millions of user credentials exposed through data breaches are for sale on the Dark Web.  The Dark Web is teeming with convenient tools for buying stolen email addresses, along with passwords and other sensitive information.  That’s why it’s important to continuously monitor your credentials on the Dark Web and frequently change your passwords.


While you can’t keep your email address under lock and key, you can defend yourself.

From a technical standpoint, use a combination of different tools to provide layers of security.  At a minimum, use email two-factor authentication, email filters to help keep hazardous emails out, and keep your machines patched.

To answer our client’s question, unfortunately a few crafty emails will get past even the most sophisticated filters. In those cases, think of yourself as a “human firewall”.  Know how to identify suspicious emails, take advantage of your company’s cybersecurity training and don’t click!

If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.