How to Forensically Examine Phishing Emails

Learn about the warning signs that can help you identify phishing and how to confirm your suspicions with a forensic examination of the email header

In the fight to safeguard data, one of the biggest risks facing organizations of all sizes is phishing emails. Data breaches, identity theft and fraud can often be traced back to an employee clicking on a bogus link, opening an attachment or replying to a request in a suspect email, unwittingly compromising your network with malware or giving away passwords or other sensitive data.

Many phishing emails are relatively easy to spot if you know what to look for. With a little knowledge about email headers, you can turn detective and confirm your worst suspicions. Here are some red flags that can help you dig a little deeper to expose phishing attempts.

Red Flags To Watch Out For

Cultivating a suspicious mind will serve you well when it comes to maintaining security.

Major red flags that indicate a potential phishing email include unexpected attachments, poor grammar or spelling errors, requests to click on links or volunteer information. These are things that should trigger a deeper investigation. Trust any uncomfortable gut feeling you get. If an email seems odd or requests you to act urgently, it merits closer inspection.

Start by asking yourself a few questions. Who is the sender? Why would they make a request like this? What is the potential risk if you comply?

Even if an email appears legitimate at first glance, if it involves your sending cash or sensitive data, opening an attachment or clicking on a link, think twice. A quick investigation could save you and your company a lot of money. If it turns out to be valid, what’s the harm in your verifying that first?

Dig a Little Deeper

Here are some tell-tale signs of a phishing scammer:

  • Sender’s email address: Look at the domain it’s from—is it a legitimate domain you recognize? Sometimes it may appear legitimate at first glance, but closer inspection reveals erroneous spelling. There could be just one letter different from the real name or a number used in place of a letter, such as using “5” for “S”.
  • Who was the email sent to? If there are multiple recipients and you don’t know the other people or it’s an unusual mix, then that’s a red flag.
  • Examine hyperlinks: If you hover over a link and it appears to point to a different URL than what is displayed in the email, you can be certain it’s a scam. Make sure you check the spelling here as well, but never click the link.
  • When did it arrive? It’s worth looking at the time the email was received. Is it outside of normal working hours?

It’s important to be alert to any discrepancies. Does the subject of the email match the content? Is it marked as a reply to something you never sent or requested? If there’s an attachment, look at the file type and consider whether it makes sense, but do not open it. All these things are highly suspicious and almost certainly indicate a phishing email, but you can take your investigation a little further and examine the email header.

Examining the Email Header

If you’re still not sure about the authenticity of an email, then it’s time to look at the header. An email header is created at the point of origin and it changes every time that email passes through an email server, gateway or inspection device. By reading the email header from top to bottom you can often retrace its steps back to the source. In some cases, scammers will spoof data in the email header, but they rarely take the time to do it, so it’s a useful thing to check.

The process to get the full email header is different depending on what email client you use. If you’re using Outlook, for example, then you need to open the email in question and click File > Properties, then look in the field where it says Internet headers. If you click in here and hit CTRL + A to select all, you can then paste the contents into a Notepad file where it’s a little easier to see.

The first thing to look for is the X-Originating-IP as that will give you the IP address of the original sender. If you can’t find it, then look for the entries after Received: you’ll see all the mail transfer agents (MTAs) that the email has passed through. Look for the one nearest the bottom and examine the IP address or domain name.

You can use various websites online, such as WhatIsMyIPAddress to look up IP address locations or do a search at the American Registry for Internet Numbers. This can reveal any disconnect between the domain or country of origin and whoever the sender is purporting to be.

For example, if the email appears to come from Microsoft but is actually from a strange domain in Russia, you can be certain it’s not legitimate. I know this can seem like a “Duh” moment, but every day we see our clients’ employees fall victim to simulated phishing bait again and again. A lot of it is habitual, ape-like behavior: See link: Must click!

Ultimately, it’s best to err on the side of caution with any suspected phishing email. You should always go direct to any company or person, using separately sourced contact details not included within the suspicious email, to verify any potentially risky request before acting.

Avatar photo

Stu Sjouwerman

Stu Sjouwerman is founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 30,000 customers and more than 20 million users. He was co-founder of Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Stu is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”

stu-sjouwerman has 9 posts and counting.See all posts by stu-sjouwerman