How to Spot a “Phishing” Email

Adapted from

While there is no technique that can spot phishing emails with 100% certainty, these are some logical steps that you can use to determine the likelihood that an email is not legitimate. Trusting your own instincts is just as important too. If an email doesn’t seem right, then treat it with all due caution and seek help if you need assistance.

Examine who the message is being sent to and why…

  • The message was sent by a person and organization unknown to you, and may also include fictitious or unfamiliar recipients.
  • The Subject line indicates that an unsolicited attachment is being forwarded. In most business/work relationships, some kind of communication would have taken place where you would be expecting files that someone wants to send to you.
  • The attached file type of ZIP is known to be potentially malicious. Other potentially risky file types end with DOC, XLS, EXE, PDF, BAT and VBS. While most people often use these file types every day, the risk lies within the ability of malicious code being inserted into these kinds of documents. An unsuspecting recipient opening a malicious file of these types would unknowingly execute malware on their own computer.


Examine the body of the message…

  • The message opening is unusually and overly formal. People you know or have working relationships with would not ordinarily use such formal language.
  • The message prompts you to create an account or divulge personal details that one would normally hesitate to share.
  • The name in the FROM field of the message is different from the name given in the message body.


Examining the message “headers”…

The following pages demonstrate more advanced tips for spotting phishing emails. Email headers provide valuable information when trying to determine the legitimacy of a message. This information can also be used by your local Information Security team if you need assistance.

  • Within the open message in Outlook, click on File > Info > Properties to see the message’s header information. This provides clues on the path the message actually took to reach the recipient. One red flag to look for is if the “Return Path” indicates an organization or domain different than the one identified in the message body, as indicated by the red arrows above. In other email clients there is generally an option to view message headers within the message properties. Contact your local Help Desk or security team if you need assistance.


Examining the message “headers”, continued…

  • The sender’s IP address and ISP information indicate a Comcast user in Indiana, as demonstrated by the domain “”. As the real company FISERV is located in Wisconsin, it is unlikely that they would be using an Internet Service Provider from Indiana.
  • The second address shown is where the email was delivered from. This is usually the email server for your own organization or email provider.


More clues in the Headers…

  • This line indicates the computer at the Comcast address sending an email claiming to be from AEXP.COM is the domain for American Express, which has been spoofed many times over the past few years. Criminals use the technique of spoofing legitimate company domains to take advantage of the trust implicit in a familiar organization’s name.
  • The X-Mailer property indicates what software was used to send the email. While this line can be spoofed, a careless phisher may neglect to change the information. A legitimate company will most likely use a common email client such as Microsoft Outlook, IBM Notes or Novell GroupWise. If a search of the software indicated turns out to be a shareware email client or known email spoofer, that is another red flag that the email is not legitimate.

Custom Fields
  • Author: Tony Dumas
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
Microsoft Security Essentials and Windows Defender Installation
Viewed 11871 times since Wed, Aug 12, 2015
Tips to Avoid Malware
Viewed 829 times since Thu, May 7, 2015
Should you send or receive UNH personally identifiable information by email?
Viewed 777 times since Thu, Jun 9, 2016
Why Can’t I Forward Emails to
Viewed 110 times since Thu, Feb 22, 2018
Mobile Device Health and Security
Viewed 989 times since Fri, Jul 10, 2015
PCI DSS - Payment Card Security
Viewed 1420 times since Thu, May 7, 2015
What’s the Deal with Publicly Posted Credentials?
Viewed 476 times since Thu, Jun 29, 2017
System Center 2012 Endpoint Protection Windows Installation
Viewed 8854 times since Wed, Aug 12, 2015
Microsoft Security Essentials and Windows Defender Usage
Viewed 5050 times since Wed, Aug 12, 2015
COPPA: Children’s Online Privacy Protection
Viewed 1150 times since Wed, Apr 29, 2015