Scammers Can Now Fake Emails That Look Like They Come From Anyone: How to Spot Them

A security vulnerability affecting Microsoft Exchange email servers is allowing attackers to send fake emails that appear to come from legitimate addresses. Researchers have named this issue Ghost-Sender, and it results from a widespread misconfiguration in how email servers are set up. Evidence shows that attackers are already actively using this technique in the wild to trick people. This affects anyone who receives email, but you are especially vulnerable if you communicate with businesses, schools, or organizations that use Microsoft Exchange for their email. The fake emails can appear to come from anyone: your bank, your child's school, your workplace, or even family members. Because the emails look completely legitimate, even careful users may be fooled into clicking dangerous links or sharing sensitive information.

Here is what you should do right now:

1. Be extra cautious with all emails, even if they appear to come from someone you trust. Look for unusual requests, especially those asking for money, passwords, or personal information.
2. If you receive an unexpected email asking you to take action (like resetting a password or confirming account details), do not click links in the email. Instead, go directly to the website by typing the address into your browser.
3. Call the sender using a phone number you look up yourself (not one provided in the email) to verify that they actually sent the message.
4. Check with your email provider or IT department at work to ask if they have addressed the Ghost-Sender vulnerability. Moving forward, adopt a zero-trust approach to email. Even messages that look perfect can be fake. Teach your family that legitimate organizations will never ask for passwords or sensitive information via email. Set up a family rule: if an email asks for personal information or money, always verify through a separate channel before responding. Consider this a reminder that email can be spoofed, and visual appearance alone cannot confirm authenticity.