How Scammers Get Your Email Address (And How to Stop Them)
You signed up for a newsletter in 2019. That company got breached in 2021. Your email ended up in a database sold on a dark web forum. A scammer bought the database for $50. Now you receive phishing emails twice a week. That's one path. There are at least six others.
1. Data Breaches
This is the biggest source. Billions of email addresses have been exposed in data breaches over the past decade. Major breaches at LinkedIn (700M records), Yahoo (3B accounts), Facebook (533M users), and thousands of smaller companies have created vast databases of email addresses paired with names, phone numbers, passwords, and other personal data.
These databases are actively traded and sold. A scammer who wants to send phishing emails to 10 million people can buy a breach database for less than the cost of dinner. Your email isn't stolen individually — it's swept up in mass breaches of companies you've trusted with your data.
Check if your email has been exposed: HaveIBeenPwned.com is a free, reputable tool that checks your email against known breaches.
2. Web Scraping
Automated bots crawl websites, forums, social media profiles, and public directories looking for email address patterns (anything@anything.com). If your email address appears anywhere publicly on the internet — your personal website, a forum post, a social media bio, a business directory — scrapers have found it.
LinkedIn profiles are particularly valuable scraping targets because they pair email addresses with professional information that makes phishing more convincing.
3. Purchased Mailing Lists
Legitimate email marketing companies sell "opt-in" lists, but the opt-in consent is often buried in terms of service you didn't read. When you signed up for that free ebook, entered a contest, or created an account on a shopping site, you may have consented to your email being shared with "partners."
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
Less legitimate operators sell lists without any consent at all, compiled from scraping, breaches, and other sources. Buying a list of 1 million email addresses costs as little as $100-200.
4. Social Engineering and Phishing
Ironically, scammers use phishing to get email addresses for more phishing. "Create an account to view this content." "Enter your email for a free trial." "Sign up to see your results." These are email harvesting operations disguised as services. The site exists solely to collect email addresses.
5. Dictionary and Brute Force Attacks
Scammers generate millions of plausible email addresses algorithmically: john.smith@gmail.com, jsmith123@yahoo.com, john.s@outlook.com. They send emails to all of them. Most bounce, but a percentage reach real inboxes. The cost of sending millions of emails is so low that even a tiny hit rate is profitable.
6. Malware and Compromised Contacts
When someone you know gets malware on their device, the malware may harvest their entire contact list — including your email address. Your email then appears in targeted lists, often with the added context of who you know and communicate with.
7. Public Records and Directories
Business registrations, domain WHOIS records, government filings, academic papers, and professional associations all may contain your email address. Data brokers aggregate this information into comprehensive profiles.
How to Reduce Your Exposure
Use email aliases. Services like Apple's Hide My Email, Firefox Relay, and SimpleLogin let you create unique email addresses for every service. If one gets compromised, you deactivate it without affecting your main address. You can also see which company leaked your data.
Use the plus trick. Gmail ignores everything after a + sign. yourname+netflix@gmail.com, yourname+amazon@gmail.com — all deliver to your inbox. If you start getting spam to yourname+someservice@gmail.com, you know which service sold or leaked your address.
Maintain separate email addresses. Use one email for important accounts (banking, healthcare, government), another for shopping and subscriptions, and a third for anything you're unsure about. If the third gets spammed, your important accounts stay clean.
Remove your email from public listings. Opt out of data broker sites (DeleteMe and Privacy Duck automate this). Remove your email from social media bios. Use WHOIS privacy for domain registrations.
Read privacy policies (or at least the sharing sections). Before entering your email anywhere, check whether the site shares data with third parties. Browser extensions like Terms of Service; Didn't Read can summarize these policies.
Use IsThisAScam to analyze suspicious emails. When scam emails arrive (and they will — no prevention is 100%), paste them into the tool to identify the type of scam and get specific advice.
Unsubscribe carefully. The "unsubscribe" link in spam emails may confirm that your address is active, leading to more spam. Only use unsubscribe links from companies you actually signed up with. For unknown senders, mark as spam instead of unsubscribing.
Enable two-factor authentication on your email. Even if scammers have your email address, 2FA prevents them from accessing your account.
You Can't Eliminate Spam, But You Can Manage It
If your email address has existed for more than a few years, it's almost certainly in multiple breach databases. You can't undo that. What you can do is reduce future exposure, compartmentalize your digital identity, and build habits that make phishing attacks less effective — even when they reach your inbox.
Received something suspicious? Check it now for free →