How do scammers get my email address?

Published: April 6, 2026

Dear 404: How do scammers get my email address
A curious character in the shape of a brain

Dear 404,

I’m a student at UofT and my inbox is out of control. I get tons of legitimate emails—course updates, announcements—but also a growing number of scams, especially fake HR and job offers. How do they even get my email address?

— Overwhelmed Inbox

Dear Overwhelmed Inbox,

Short answer: your email didn’t escape — it was collected, reused, and passed around. Long answer: nothing dramatic — just a few very normal ways this happens:

  • 1

    You’ve used it in more places than you think

    Every signup, event, or application adds your email to a list somewhere. Not all of those lists stay private. And if we’re being honest, we all hand out our email in places we forget about — not recommended, but very human.

  • 2

    Data breaches happen

    Your email may have been exposed years ago from some random place you used it — and passed around ever since.

  • 3

    Guessing is easier than you’d hope

    University emails follow patterns. Scammers generate and send in bulk.

  • 4

    One scam feeds another

    Even small interactions can flag your email as “active.” As tempting as it is to waste a scammer’s time (noble cause, truly), it still tells them you’re engaging.

Why the spike in job/HR scams?

Because you’re a student — and that makes you a target… a valuable one.

Scammers know you’re:

  • actively looking for jobs — something they can target using your school or faculty affiliation online
  • used to getting emails from unfamiliar senders
  • often rushed, with an inbox that gets used a lot

So they package scams to look like exactly what you’re hoping to find.

What to do (without losing your mind):

  • Assume nothing — verify everything (especially job offers)
  • Check the sender, not just the name
  • Be wary of urgency, easy money, or vague roles
  • Minimize what you share — no SIN, no full address on resumes. City is enough
  • Don’t engage with obvious spam, filter it out, and report phishing to UofT IT
  • I covered how to spot legit emails in another post — worth a quick read

Getting these emails doesn’t mean you did anything wrong. It means your email exists.

Welcome to the internet — a bit of a love-hate relationship… emphasis on both.

Sincerely,
4[0‿0]4

More answers from 404