How Do Phishing Scammers Get Your Email Address? | EasyDMARC

How Do Phishing Scammers Get Your Email Address?

9 Min Read

Phishing scams are common cyber attacks that threaten organizations. Cyber actors use this technique to lure victims into giving out sensitive information like bank accounts, credit card numbers, and passwords. So, naturally, a question arises – what to do if a scammer has your email address?

In most cases, phishers approach their victim via email, posing as legitimate companies. For instance, you could receive a mail from your service provider telling you to renew your subscription by entering your card details. 

If you do, your bank details will fall into the wrong hands, and you’d lose money. Sometimes even worse – the access to your account.

But, “how do spammers get my email address,” or “why am I getting texts from random email addresses?” These are questions that will pop into your head. 

Read on to learn about the sources and methods used to collect electronic addresses. We’ll also walk you through the prevention mechanisms at the end of this article. 

Sourcing Email Addresses

Phishing scammers employ different methods to source their victim’s email addresses. Here are some popular techniques and tricks. 

Lists Bought From Dark Web or Data Providers

The Dark Web is the part of the World Wide Web that search engines like Google don’t index. You can only access them through special browsers. The content isn’t openly available via commercial browsers and needs more advanced computer knowledge to be accessed. Hence, it’s a breeding ground for cybercriminal activities, including buying and selling email addresses and other confidential data.

A 2019 study carried out by Dr. Mike McGuire reported that 60% of the dark web listings could potentially cause damages to organizations. On April 6, 2020,, a Russian-based email service provider, recorded 600,000 user data allegedly sold on the dark web.

Hackers can buy anything on the dark web, including stolen credit cards, subscription credentials, email addresses, usernames, passwords, and even breached Netflix accounts.

Another method threat actors use is buying credential lists from data providers like ZoomInfo, Visitor Queue, InfoDepots, or Callbox.

Once they own the data, they can use it for brute-force or social engineering attacks, credential stuffing, and as a result, account takeovers.

Openly Available Email Addresses on Social Media

Social media is a public sphere and a powerful tool that scammers deploy to find email addresses. Today, more than 90% of people post information online about their professional and personal lives. 

People gladly fill in all the information on most social media platforms and forget about it. This makes it pretty easy for scammers to pick up email addresses. Social media users should remember that everything they place on their social media profile is exposed – even if they control the privacy settings. 

Shockingly, attackers have access to more than your email address. They also have access to other sensitive personal data. They can use it to carry out phishing attacks such as whaling, Business Email Compromise, and email spoofing.

The top social media platforms where phishers can get your email include Facebook, Instagram, Twitter, and Linkedin.

Email Harvesting

Email harvesting is another technique scammers use to source their victim’s email address. Cyber attackers program bots to scout the internet for email addresses. The bots use the “@” symbol to identify any email format on websites and add it to a list. As a result, email harvesters gather thousands of email addresses within seconds. 

Fake Websites

Many phishing scammers develop look-alike websites to collect users’ information. The email usually asks you to subscribe to their mailing list or newsletter on the site. While you might think you’re signing up at a legitimate site, cyber attackers are in the background waiting to spam your inbox.
Use our legit website checker to check if a domain is legit.

Social Engineering Posts and Online Multiplayer Games

Social engineering involves manipulating victims to divulge sensitive or confidential information through human interactions. It plays on human emotions and rash decisions like clicking a link from an email with the “urgency” component.

Seemingly unharmful games and tests that use your social media account can also sell your credentials and profile contents to third parties.

Online multiplayer games are vulnerable to hacker attacks, too. You might gravitate towards better-known ones to ensure breaches get immediate coverage. But they aren’t necessarily protected from unfortunate mishaps. For example, Ubisoft’s famous video game series Just Dance was recently breached, leading to the loss of user information.

How to Prevent Your Email from Falling into the Wrong Hands?

We all communicate via email, sending sensitive information to our clients and business partners. That’s why email security is vital for organizations.

You’re not a stranger to opt-in pages, newsletters, and third-party subscriptions if you use the internet. If you want to get valuable information, marketers collect information about yourself or your name and email on their websites.

Whether you’re using a company email address to get that interesting professional report from your favorite website or your personal one to sign up for a fitness class, you’re in the risk group.

So, what can scammers do with your address? Spamming your inbox is just the tip of the iceberg. They can use it for account takeovers, contact harvesting, stealing sensitive information, and man-in-the-middle attacks.

We’ve collected a few tips and sorted them into stages. Learn how to stay on top of where your email address has been used and if it’s already fallen into the wrong hands.

Before You Sign Up or Opt-In

Your journey starts the second you decide to subscribe to a service or opt-in to get a newsletter. Here are a few tips to follow before typing your email and personal details like name and age into a website.

Read Ts and Cs on Third-Party Apps Before Signing Up

When signing up on any third-party app, you’ll be presented with a lengthy list of terms and conditions that you need to read and agree to before proceeding. Most apps have a “I have read and agree to the Ts and Cs” box that you need to check. 

Many users agree to these legal terms without reading them – this is not the best practice. Reading the Ts and Cs will give you more insight into the business, which can help you avoid numerous privacy issues.

Learn What Information Plugins Collect and How They Treat It

Plugins, also known as add-ons or extensions, are computer programs that add new features to a host program without changing the host itself. Most plugins collect personal data like names, addresses, and other information that identify a user. 

When you know the kind of information your plugins collect and how they handle it, you can make informed decisions to protect yourself and your information better.

Don’t Leave Your Email on Websites You Don’t Trust

Many blogs, websites, and forums might request that you input your email address before accessing their content. We recommend that you avoid leaving personal details on websites you don’t trust. Alternatively, you can use disposable email addresses

Additionally, Apple’s latest feature for iPhone users, Hide my Email, lets you hide your email address during:

  • Account creation
  • Sending a mail to an unknown person
  • Newsletter sign-ups

The feature also lets you generate burner emails, so you won’t need to send your private email. Remember, once your email is exposed, it can quickly spread to other contacts on your list.

Educate Yourself About Cyberthreats

What you don’t know can result in security risks. So, security programs and training are vital to mitigate cyberattacks. Phishing and social engineering are among the significant threats in cyberspace. Defensive solutions alone aren’t enough to protect against increasingly advanced cyber threats. 

Organizations must educate their employees on protecting their email and identifying phishing attacks. Remember that phishing scammers don’t hack a company; they compromise employees to access company assets.

Periodic Checks of Your Existing Accounts

We believe that staying up-to-date with cyberthreat reports and keeping an eye on accounts where your email has been used is vital.

For example, did you know that most recently, in October 2021, Facebook experienced an outage that resulted in a data leak? Sensitive data of over 1.5 billion Facebook users was on sale on the dark web. The data includes full names, email addresses, location, gender, and phone numbers. is a fantastic tool that tells you whether your email has been found in any leaks and data breaches. Enter your email address, and the site will check it across multiple data breach records. It’ll name the app or website that compromised your email address.

After a Data Breach

Well, checking is one thing, but what to do if a scammer has your email address? Don’t worry, and there are a few roads you can take:

  • Change your third-party app password: This ensures that you don’t allow hackers to compromise your account further or take it over.
  • Contact the support: You might want to contact the app’s customer service to ask them about the breach and the steps they’ve taken to secure their users.
  • Delete your account or unsubscribe: If you want to stay away from the app or newsletter, you can just delete your account or unsubscribe from their lists.

These tips might not revert anything that has already happened, but you’ll be able to get back the sense of security from that point on.


Phishing scams are nothing new, nor are they going anywhere. However, the security of your data is always in your hands. Whether you’re an individual trying to protect your email from phishing threats or a company’s CEO aiming to guard the business infrastructure and assets, you need to deal with phishing protection.

Given the methods hackers use to gather email addresses, you need to stay alert and check your email infrastructure against cyber threats. Most importantly, you need to learn how to prevent your email from getting into the wrong hands. 

So educate yourself on cybersecurity, read third-party app terms and conditions before signing up, and check your existing accounts regularly.

Stay safe!

Content Team Lead | EasyDMARC
Hasmik talks about DMARC, email security, and cyberawareness. She finds joy in turning tough technical concepts into approachable and fun articles in plain language.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us