Where do scammers get my email address?
Email addresses are harvested from data breaches, scraped from public websites, sold by data brokers, and gathered through phishing sites and compromised mailing lists.
Last reviewed: 10 June 2026
Explanation
Email addresses are traded and leaked at enormous scale. Major database breaches over the years have exposed billions of credential records, and these lists circulate indefinitely in criminal markets. If you have used the same email address for ten years or more, the probability that it appears in at least one breach is very high. Scammers purchase these lists cheaply and run mass phishing campaigns knowing that even a fraction of a percent response rate is profitable.
Web scraping is another major source. Any time your email address appears on a public webpage — a contact form, a forum post, a business listing, an academic paper, a comment section — automated tools can harvest it. Some scammers run bots that systematically scrape every page of major platforms looking for the '@' character.
You may also have inadvertently given your email to an entity that sold or leaked it. Some free apps and services monetise their user bases by selling mailing lists. Loyalty programmes with weak security are a particular source. And phishing sites themselves harvest emails: when you enter your email into a fake login page or 'prize claim' form, it goes directly to a scammer's database.
Compromised mailing lists are a subtler channel. If a company you legitimately do business with has its email system breached, scammers gain access to its list of recipients. You then receive convincing phishing emails that appear to come from that company, because they do contain your correct name, account number, or other details that the legitimate company held.
Common red flags
- You receive phishing emails that correctly name you and reference accounts you hold
- Shortly after signing up for a new service, spam email increases noticeably
- Emails arrive appearing to be from companies you use, but the sender address is slightly wrong
- You are prompted by a search result to 'verify your account' on a site that is not the official domain
- An email claims your account was accessed and asks you to click a link to secure it
What to do now
- Check your email address at Have I Been Pwned to see which breaches it has appeared in
- Use a unique email alias for each service where possible
- Never click links in unsolicited emails — navigate to sites directly
- Enable two-factor authentication on all accounts linked to your email
- Request removal from data broker databases through opt-out tools
- Report phishing emails to your email provider and your national cyber authority
Frequently asked questions
Does unsubscribing from spam emails make them stop?
For legitimate marketers yes, but for scammers, clicking an unsubscribe link can confirm your address is active and lead to more messages. If an email looks like a scam, delete it without clicking anything.
Can I stop my email from being scraped online?
You can reduce exposure by removing your email from public pages, using contact forms instead of posting addresses, and using different addresses for public-facing and private communication.