There are numerous email scams that land in your inbox every day, from malware-ridden attachments supposedly from a friend to IRS impersonators to blackmailers threatening to expose you for watching porn. And what makes many of these scams harder to recognize is that they rely on a “spoofed” email address to make it appear that they are coming from someone you trust (or even your own email address), rather than a scammer 6,000 miles away. So learning how to tell if an email has been spoofed is critical to protecting yourself.
Part of the reason why spoofed emails are so prevalent is that it is incredibly easy to spoof an address. Any mail server can be set up to send from a given domain (e.g. irs.gov), and there are even websites that will let you send one-off emails using any email address for free. But both of these methods leave telltale tracks that give it away as spoofed.
To find these tracks, you need to look at the email header. The header contains critical components of every email – From, To, Date and Subject – as well as detailed information about where the email came from and how it was routed to you. Importantly, it also contains the results of the verification process your email provider used to determine if the sending server has permission to send using that domain (i.e., Is this server authorized to send emails from irs.gov?). Showing your email headers varies depending on which email service you’re using. For Gmail, open the email and click on the three vertical dots next to the reply arrow and select “Show Original”. For other email programs, you can use this list.
If you look at the header information if it was spoofed, besides a lot of technical information you can ignore, the two things that matter the most are the domain name and IP address in the “Received” field and the validation results in the Received-SPF field. If the domain name is different from the sender’s domain, that’s a dead giveaway. But if the domain name is similar or it’s listed as just an IP address you should check the IP address, too, and see if that passes the smell test. To do that, go to Domain Tools and enter the “from” IP address in the Received field into the Whois Lookup.
Next, if we look at the Received-SPF field and see that it is a softfail. Sender Policy Framework (SPF) is a way for a domain to specify what servers are permitted to send mail on its behalf. Mail sent from permitted servers will show up as “Pass” in the Received-SPF field, which is a very strong indicator that the email is legitimate. If the results show “Fail” or “Softfail”, that’s a sign the email may be spoofed, though it’s not 100% certain since some domains don’t keep their SPF records up to date, resulting in validation failures.
Taken together, the sending IP address and the SPF validation will give you a very good sense of whether an email truly comes from the person purported to be sending it. And don’t forget to trust your gut. If an email sounds implausible, it probably is. Don’t respond directly or open any attachments. If it is a company, bank or government organization, find their contact information on the web and contact them directly to see if the email is legit.
Spoofing email is just one way scammers attempt to take advantage of us. So make sure you’re also on top of these 7 Common Scams We’re Still Falling For.
This was originally posted by Techlicious.