Spoofing is an unfortunately all to common problem. Spoofing is the act of using a local mail application to pretend to be someone else using email to mask your domain name. Usually for the purpose of sending spam or other unwanted messages.
How does it work?
This is similar to the regular postal service. As an example, say you write a letter to a friend. You put it in an envelope and write out the to address, and instead of putting your own address as the return address you put a different address to a business across town. When you send the letter, if it makes it to the recipient, they get what looks like a message from that business across town. Not good. Even worse, since the name on the return address isn't their address, if the mail cannot be delivered, it will bounce back to your address! Normally, they do not actually know your email address, and it is getting caught in the catch-all and you are just getting notifications about it. Usually disabling the catch-all from http://yourdomain.com/dashboard under "Settings" then "Email Settings" with the link for "Disable Catch-all".
They do not have access to your contacts, or address book. They simply picked your domain name out of the millions of domains out there. Either it fit their purpose, or by sheer chance. This does not make you any less secure.
There is no real solution to spoofing. The problem is that the people who are doing this, are not actually "Hacking" your site, or anything similar. They are simply changing the return address on their email program, on their own computer (not our servers where your account is actually located.). The problem with that, is that there is nothing we can do on our end to prevent this. Because they are doing this on their own computer, and never interfacing with any of our systems, there is no way to stop it. Sadly its a flaw in the way email was designed.
If you have any further questions or concerns regarding this topic, feel free to reach out to support!