How to Spot a “Phishing” Email

Adapted from

While there is no technique that can spot phishing emails with 100% certainty, these are some logical steps that you can use to determine the likelihood that an email is not legitimate. Trusting your own instincts is just as important too. If an email doesn’t seem right, then treat it with all due caution and seek help if you need assistance.

Examine who the message is being sent to and why…

  • The message was sent by a person and organization unknown to you, and may also include fictitious or unfamiliar recipients.
  • The Subject line indicates that an unsolicited attachment is being forwarded. In most business/work relationships, some kind of communication would have taken place where you would be expecting files that someone wants to send to you.
  • The attached file type of ZIP is known to be potentially malicious. Other potentially risky file types end with DOC, XLS, EXE, PDF, BAT and VBS. While most people often use these file types every day, the risk lies within the ability of malicious code being inserted into these kinds of documents. An unsuspecting recipient opening a malicious file of these types would unknowingly execute malware on their own computer.


Examine the body of the message…

  • The message opening is unusually and overly formal. People you know or have working relationships with would not ordinarily use such formal language.
  • The message prompts you to create an account or divulge personal details that one would normally hesitate to share.
  • The name in the FROM field of the message is different from the name given in the message body.


Examining the message “headers”…

The following pages demonstrate more advanced tips for spotting phishing emails. Email headers provide valuable information when trying to determine the legitimacy of a message. This information can also be used by your local Information Security team if you need assistance.

  • Within the open message in Outlook, click on File > Info > Properties to see the message’s header information. This provides clues on the path the message actually took to reach the recipient. One red flag to look for is if the “Return Path” indicates an organization or domain different than the one identified in the message body, as indicated by the red arrows above. In other email clients there is generally an option to view message headers within the message properties. Contact your local Help Desk or security team if you need assistance.


Examining the message “headers”, continued…

  • The sender’s IP address and ISP information indicate a Comcast user in Indiana, as demonstrated by the domain “”. As the real company FISERV is located in Wisconsin, it is unlikely that they would be using an Internet Service Provider from Indiana.
  • The second address shown is where the email was delivered from. This is usually the email server for your own organization or email provider.


More clues in the Headers…

  • This line indicates the computer at the Comcast address sending an email claiming to be from AEXP.COM is the domain for American Express, which has been spoofed many times over the past few years. Criminals use the technique of spoofing legitimate company domains to take advantage of the trust implicit in a familiar organization’s name.
  • The X-Mailer property indicates what software was used to send the email. While this line can be spoofed, a careless phisher may neglect to change the information. A legitimate company will most likely use a common email client such as Microsoft Outlook, IBM Notes or Novell GroupWise. If a search of the software indicated turns out to be a shareware email client or known email spoofer, that is another red flag that the email is not legitimate.

Custom Fields
  • Author: Tony Dumas
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
SEED: Safe Electronic Equipment Disposal Instructions
Viewed 1697 times since Mon, Apr 27, 2015
FAQs- System Center 2012 Endpoint Protection, Microsoft Security Essentials, and Windows Defender
Viewed 2847 times since Wed, Aug 12, 2015
System Center 2012 Endpoint Protection for Mac Installation
Viewed 3181 times since Wed, Aug 12, 2015
COPPA: Children’s Online Privacy Protection
Viewed 900 times since Wed, Apr 29, 2015
How to Determine if Your Computer is Vulnerable to WannaCry or Petya Ransomware
Viewed 436 times since Tue, Jun 27, 2017
Back-up your files today!
Viewed 634 times since Mon, Nov 16, 2015
What’s the Deal with Publicly Posted Credentials?
Viewed 284 times since Thu, Jun 29, 2017
PCI DSS - Payment Card Security
Viewed 1105 times since Thu, May 7, 2015
SEED: Accepted Equipment List & Disposal Guide
Viewed 2042 times since Tue, Apr 28, 2015
Antivirus Software for Mac
Viewed 4698 times since Wed, Aug 12, 2015