The Email That Knew My Daughter’s Teacher’s Name

She read it out loud at the kitchen table, half-annoyed. “Mr. Alvarez says we still have to finish the group assignment — there’s a link.” Then she reached for the laptop to get it over with, the way thirteen-year-olds do when a teacher’s name is attached to a chore.

I asked to see it. And my stomach dropped, because she was right about one thing: the email named Mr. Alvarez. Her actual science teacher. First name, last name, the subject he teaches. It asked her to “finish the group assignment” through a button that went somewhere I didn’t recognize.

Mr. Alvarez hadn’t sent it. I knew that the way you know your own front door. What I didn’t know — what I still couldn’t answer hours later — was how a stranger had learned my daughter’s name, her teacher’s name, and her email address, and decided to write to her directly, in a voice she’d never think to question.

I never approved any of it. I never even knew the door was open.

A leaked address is a permanent open door

Most parents picture a kid’s email like a school cubby — a few notices, a permission slip, nothing anyone would bother with. In practice it works more like a front door with no lock, propped open to the entire internet. Anyone who knows the address can walk a message right up to your child, any hour of the day, into a space they usually check alone.

And the address gets out far more easily than parents realize. A school adopts a new reading app, and the vendor’s database leaks. A gaming forum is breached. A “free” homework site quietly sells its sign-up list. Your kid types their real address into a box because that’s what the box asked for. From that moment, the address circulates — bundled, sorted, traded — and it never expires.

The details that travel with it are what make the Mr. Alvarez email possible. School rosters, class lists, parent directories, and EdTech databases leak too, and they connect a child’s address to a real name, a real school, sometimes a real teacher. A stranger doesn’t have to guess any of it. They buy the bundle, and they write something a thirteen-year-old would never doubt — because it names the one adult she’s been told to listen to.

That’s the entire trick. The message doesn’t have to fool me. It only has to reach her.

Spam filters judge the wrong thing

When parents worry about email, the standard answers are spam filters and parental-control apps. Both have their place. Neither does the job you actually need here.

A spam filter reads each message after it arrives and guesses whether it looks dangerous. It’s grading content. An email that names a real teacher and asks a student to finish real-sounding schoolwork has no malware in the text, no all-caps prize, no obvious tell — it reads like exactly what it pretends to be. So the filter waves it through, because spotting suspicious words was never the same as deciding who’s allowed to write to your child in the first place.

Parental-control apps mostly govern what your kid can go to — which sites, which apps, how many hours. They’re built around your child reaching outward. They do very little about who reaches in. The stranger who used Mr. Alvarez’s name didn’t trip a single one of those controls, because he came to her.

That’s the gap. Every tool in the usual kit is busy inspecting messages or limiting browsing. None of them answers the only question that mattered when she reached for the laptop: should this person be allowed to send my child anything at all?

What changes when the inbox starts closed

Run that afternoon again, but with the door locked.

The stranger still has her address. He still writes the same confident note in Mr. Alvarez’s name. And it simply never arrives — not dropped into a junk folder where she might still find it, not flagged with a warning she might tap past, but stopped at the threshold, because he was never on the list of people allowed to reach her.

That’s a consent-based, opt-in inbox. Instead of accepting everyone and trying to sort the dangerous ones out afterward, it starts closed and stays closed until you say otherwise. You build the approved list together: family, the real school, a coach, the friends you know by name. Everyone else is a stranger, and strangers don’t get through. There’s no message for an excited or distracted kid to evaluate alone — because the conversation a stranger tried to start never reaches her at all.

This is what OptMsg’s patent-pending opt-in technology does. The inbox is closed by default, and you decide who gets a key. It doesn’t ask your thirteen-year-old to out-think an adult who does this for a living. It just doesn’t let that adult in.

The relief is the point. Not a sharper kid who never gets fooled — an inbox that doesn’t require her to be perfect.

What you can do this week

You don’t have to overhaul everything tonight. Start small.

Sit down together and scroll the last month of her email — not to inspect her, just to look. Count how many messages came from people she actually knows versus people she doesn’t. The ratio surprises most parents, and it makes the problem real for your kid, too.

Ask, gently, whether anyone she doesn’t know has ever emailed her — the way the Mr. Alvarez note did. Not an interrogation. Most kids have a story, and most haven’t mentioned it because nothing obviously bad happened. Yet.

Turn on two-factor authentication so a leaked password alone can’t open the account. And separate the address she hands out casually — for apps, games, school sign-ups — from the inbox where the people who matter actually reach her.

Then decide whether you want the door to keep standing open. Because the person who emailed her in her teacher’s name didn’t break in. He walked through an entrance no one had ever closed. You can close it.

See how the opt-in inbox works — join the early-access list

FAQ

How do I stop strangers from emailing my child?

Regular email accepts a message from anyone who knows the address, so once that address leaks, strangers can write to your child directly. Spam filters only judge a message after it arrives, and a note that names a real teacher or real schoolwork usually passes. The most reliable approach is an opt-in inbox like OptMsg email, where the inbox is closed by default and only senders a parent has approved can deliver. Unapproved senders never reach the child at all.

How did a stranger get my child’s teacher’s name and email address?

Children’s details leak the same way adults’ do — through breached apps, gaming forums, and school or EdTech vendors whose databases are exposed. Those leaks often connect an address to a real name, school, and class roster, which is how an attacker can reference a real teacher. The leak is what makes a convincing “finish the assignment” email possible; the open-by-default inbox is what lets it be delivered.

What is an opt-in inbox for kids?

An opt-in inbox reverses how email normally works. Instead of accepting every message and filtering out the bad ones, it starts closed — nothing is delivered unless the sender has been approved in advance. For a child’s account, the parent approves the school, family, coaches, and trusted friends. OptMsg uses patent-pending opt-in technology to make this possible, so a leaked address can’t turn into an open invitation for strangers.

Scroll to Top