Check the email headers
Most email programs only show a few basic details to users about where an email came from, and these (such as the "From" address) can often be easily spoofed by criminals. Despite this, with a little effort, there's a lot more useful information you can find to see when an email trying to hide its true origins
This is all contained in the "email headers" text. You can read email headers by:
- In Outlook: Double click an email to open it, and then go to 'File' and 'Properties'. A new window should open; the headers are in the box called 'Internet Headers'.
- In Outlook.com (Hotmail): Click the down arrow next to 'Reply' above the email, and select 'View message source'. This shows the raw code for the whole email; the headers are the first block (which can be lengthy) until the first blank line.
- In Gmail: Click the down arrow next to 'Reply' above the email, and select 'Show original'. This shows the raw code for the whole email; the headers are the first block (which can be lengthy) until the first blank line.
- In Yahoo!: With the email open, click 'More' and then select 'View Raw Message'. This shows the raw code for the whole email; the headers are the first block (which can be lengthy) until the first blank line.
For other popular email programs check out this guide (external link).
Parse the headers
Once you have the email headers there's a great online utility that will make them a bit more human-readable. Simply head to www.mxtoolbox.com/emailheaders.aspx and paste the headers into the box, then click "Analyze".
This will interpret all the information, presenting back to you the route that the email took & where it came from, any spam score, and other attributes such as whether it's origin can be authenticated.
MXToolbox.com screen showing the route the email took...
... and other various relevant attributes of the email.
Key fields to check:
Now that you've got the headers from your suspected phishing email into an easy to read form, some of the key fields to know about include:
- The "From" addresses:
- The route the email took:
- Mail authentication checks:
- SPF (which stands for 'Sender Policy Framework') is a way of validating that emails were sent by computers known to belong to the organisation that the email claims to have come from.
- DKIM is a mechanism used to digitally sign the contents of an email, making it useful for also verifying the sender. If in the "Authentication Results" field you see the string "dkim=pass (signature was verified)" then you can trust that the email came from the domain listed in the "DKIM Signature" field.
- DMARC is a newer mail authentication mechanism which aims to address some known weaknesses of SPF and DKIM, although it is only slowly being used. If you see the entry "dmarc=pass" in the "Authentication-Results" field then you can have confidence that the email came from where it purports to have come from.
- Other useful fields:
Eg: From, Return-Path, Reply-To
The "From" address is the address that the email purports to come from, and which is displayed by your email client. The other fields are used for different purposes, such as when replying to an email or if there's difficulty delivering it.
These can all be spoofed so never trust what they claim, although if any of them are from suspicious domains then this should raise alarm bells straight away.
The "Received" fields describe the route that the email took to reach you, including the host domain names and/or IP addresses of each "hop".
These are written from the bottom to the top; ie the machine used to send the email will be the bottom entry in the raw headers (although note that MXToolBox.com re-orders these to read from top to bottom).
You should check this route to look for anything odd, for example any unexpected domains that the email was sent through (eg do any end in .ru which are often big sources of spam?)
Eg: Authentication-Results, Received-SPF, DKIM Signature
In recent years, in an effort to combat spam, various methods have been developed to try and validate where an email truly came from. These include SPF, DKIM, and DMARC.
Within the email headers the key field to pay attention to is Authentication-Results, as this essentially presents a summary of the different mail authentication checks that the email has been through:
Here you need to look for the entry "spf=pass" in the "Authentication-Results" field. If this is present then you know the email came from a server associated with the organisation specified by "smtp.mailfrom=". Note that this might not be the same as the email's "From" email address - that can still be spoofed.
Don't immediately dismiss emails which didn't pass the SPF check; due to the way that email and the SPF check works then even legitimate emails sometimes fail.
It's important to remember however that all that these checks do is to validate which domain the email was sent from - they offer no checks about who owns that domain. That's why its important to also double check the domain being used (see below).
Spam score: Different email programs use different spam detection tools, and so you might see headers called a variety of different things relating to Spam. You can check these entries to see how the email has been categorised; is it indicating a high level of spam-like qualities? At the end of the day you need to use your own judgement when deciding if an email is legitimate, however these scores can be a useful indicator.
X-Mailer: This shows which email client was used to create the email. It's not unknown for phishing emails to have been created with Outlook Express; a free email program that is unlikely to be used by major corporations.
Research domain names
Some criminals will go to advanced lengths to fool us, with one common trick being to register domain names that look as if they could belong to well known organisations.
If you see any domain name in the email (eg either in a weblink or the "From" email address) that deviates even slightly from the company's main web address then you should be immediately suspicious. If you're not sure how to read the Domain Name from a web or email address then quickly check out our guide to reading a URL address.
a) Check when the domain name was registered
Use a Whois service such as https://whois.domaintools.com to check the date that the domain name was registered. If it's only a few days old (as most are that are used for phishing) then it's likely to be a spoof.
"icann-monitor.org" looks like it could belong to ICANN...
...except that the domain was only registered the day before the email was sent.
b) Check if this domain is mentioned online as a scam
If other people have received similar emails then you might find a discussion about it online. Try doing a web search such as "dodgywebaddress.com" scam (make sure the web address you're querying is in quotes) and see what gets returned.
c) See if the address is linked to from the company's main site
If the web address is genuine then a link to it is likely to exist somewhere on that company's main corporate website. Use Google to check this - enter a query in the form of "dodgywebaddress.com" site:company.com". Put the web address you're querying in quotes, followed by the address you know to be genuine with the prefix site:
If no results are found then you should be suspicious. Even if results are found then be sure to double check what they are - make sure it's not simply that the company are alerting users to scams from that address!
Virus scan any attachments
The VirusTotal homepage, at www.virustotal.com.
If an attachment was part of the email then you can virus scan this too. Right click it and save it to disk somewhere.
Be very careful not to accidentally open it...!
Simply saving the file to disk is fine (even if it is infected) but if you're not sure what you're doing then it is probably best to skip this check.
Various online services exist that will virus scan your files with multiple antivirus products in one go. The best of these is probably www.virustotal.com, owned by Google.
The screen as the file is being scanned
It's extremely easy to use - simply click "Choose file" and browse to your file to upload it, and then click "Scan it!". Your file will start scanning with results returned straight away; within a minute you'll have scan results from over 50 antivirus tools. Impressive!
The tool will also analyse the file and tell you different characteristics that might be useful, such as confirming what type of file it is.
It will also tell you if anyone else has scanned the same file - this should ring alarm bells if it has been and it's a file that's supposed to be unique to you, such as a bill or delivery notice.
Of course, whilst online scanning is great, hackers can (and do) use these tools to check if their viruses will evade detection or not. For this reason it can be a good idea to wait a couple of days before scanning the file, to allow for virus signaures to catch up.
Inspect the body of the email
A final check you can do is to inspect the raw code of the body of the email, looking for any hidden suspicious links or secret image downloads (some emails download a transparent GIF image to track when it has been opened).
This check is really a belt & braces step for if you've not spotted anything else that's obviously wrong and are now thinking that the email may be genuine after all. It's unlikely to reveal anything new that you've not discovered so far, but can give peace of mind that there's nothing else hidden within it.
For this check you need to view the source code in a text editor:
- In Outlook: Right-click within the message and select "View Source". This option doesn't always appear depending on where within the email you click, so play about if it doesn't appear at first. Often it works though if you right-click at the very bottom of the email.
- In Outlook.com (Hotmail): Click the down arrow next to 'Reply' above the email, and select 'View message source'. This shows the raw code for the whole email; copy it to a text editor (such as Notepad) for easier analysis.
- In Gmail: Click the down arrow next to 'Reply' above the email, and select 'Show original'. This shows the raw code for the whole email; copy it to a text editor (such as Notepad) for easier analysis.
- In Yahoo!: With the email open, click 'More' in the message's toolbar and then select 'View Raw Message'. This shows the raw code for the whole email; copy it to a text editor (such as Notepad) for easier analysis.
Now you have the raw code for the email, including all the raw links that are clearly shown. You can either manually look through the code, or use the "Find" or "Search" feature within your text editor to look for the string "http" and jump straight to each link.
Checking the raw code of an email for suspicious content (in this case it was a legitimate email from Apple).
Look for any links that look suspicious. Be aware that, for a HTML formatted email, there may be a few links to legitimate external sites such as static content servers for images or stylesheets (eg Apple host some images on the site http://r.mzstatic.com), or for 3rd party services such as email services like MailChimp. If you're not sure of a domain you see in a link then just Google it.
What you're looking for however is the presence of any suspicious domains (see the section "Research the domain name" above), whether these are a hyperlink to click on, or where content such as a gif or png image are downloaded from.
If there are no suspicious links, and if the email has passed all the other checks on this page, then it may well be legitimate after all!