The Anatomy of a Phishing Email: What's in an Email Header?

There is something I want you to know so you don't fall for phishing scams.

Phishing emails have gotten a whole lot sneakier since the early days of email. Nowadays, the scammers put some real effort into making their messages look legit. But don't worry, with a few tips you'll be able to spot a phony a mile away.

The key is in the details—specifically, the email header. That jumble of letters, numbers, and symbols at the top of the message holds clues to the email's true origin. Once you know how to decode an email header, you'll have a superpower for sniffing out scams. So grab a cup of coffee and settle in. We're going to teach you everything you need to know to become an email header pro. By the time you're done reading, you'll be able to take one glance at the header and know if the email is the real deal or just another phish trying to reel you in.

Detecting Spoofed Senders: How to Read an Email Header

Checking an email header is the only way to know if an email is legit or an attempt at phishing. Here are a few things to look for:

The "From" and "Return-Path" fields should match. If not, it's a sign of email spoofing. The return path is where bounce messages go if the email can't be delivered. Scammers often forge the "From" address but forget to change the "Return-Path."

See if SPF is enabled. SPF stands for Sender Policy Framework and detects forged sender addresses. Not all email services use SPF, but most major ones like Gmail and Outlook do. If SPF says "Fail" or "SoftFail," it's likely spoofed.

Check the IP address. The IP address indicates the network location of the email sender. Do a quick search to see if the IP address matches the sender's email service. If not, it's probably spoofed.

A example of that is the image below from a blog MDaemon Technologies:

"Upon a swift analysis of the message headers, it becomes evident that the return-path address is disconnected from the From address. In the event of a response to this message, it should be directed to [email protected]."

When is supposed to come from HSBC Bank.

Examine the message headers. Header fields like "Received" show the path the email took to get to you. The email should pass through servers that match the sender's email service. If there are unknown servers, especially at the beginning or end of the path, it may indicate spoofing.

Inspect the contents. Phishing emails often have poor grammar, urgent language, or ask for sensitive info like passwords or account numbers. Legitimate companies don't ask for sensitive data over email.

Reading an email header takes seconds but gives you insight into the email's origin. While not foolproof, checking the header is one of the best ways to detect phishing attempts and avoid becoming another victim of fraud. Stay vigilant, and if anything seems off about an email, it's best to delete.

Block Compromised IP Addresses to Prevent Phishing

Once a phishing email slips past your spam filters, one way to minimize the damage is by blocking the IP addresses it came from. Many phishing emails are sent from compromised computers, so blocking those IPs can prevent future phishing attempts.

A lot of phishing emails come from IP addresses that are already known to send spam and malware. IP blocklists are lists of these illegitimate IP addresses that many email providers and firewalls can refer to automatically block malicious emails. Using IP blocklists is an easy way to block a ton of phishing emails before they even reach you.

Of course, blocking IP addresses isn’t foolproof. Cybercriminals are constantly compromising new devices to use as spam bots, so blocklists can never contain every bad IP address. Blocking IP addresses can also sometimes block legitimate emails by accident. But when used properly, blocklisting suspicious IP addresses, especially those used to send you phishing emails directly, can be an effective way to reduce the amount of phishing that hits your inbox.

If your email service or firewall allows you to manually block IP addresses, add the ones that sent you any phishing emails that slipped through. Chances are, those same IPs will send you more phishing attempts in the future. Blocking individual IP addresses, in combination with spam filtering and email authentication, makes it much harder for phishers to reach their targets. Staying vigilant and taking measures against even a single phishing email can help strengthen your defenses over time.

How Spammers and Phishers Hide Their Tracks

Spammers and phishers go to great lengths to cover their tracks and hide the true source of their emails. They use various techniques to obscure details that could reveal their identity or location, making their malicious messages appear more legitimate.

Obfuscation

Scammers often use obfuscation, which means deliberately making something obscure, unclear, or unintelligible. They may insert invisible text, random characters, or misleading metadata into the email header to confuse spam filters and trick people.

• Hidden text: Adding text with a font size of 0 points makes it invisible to the human eye but still detected by machines. This throws off spam filters.
• Random characters: Inserting random letters, numbers, and symbols into the header, subject line or body text fools spam filters into thinking the email is legitimate.

Mimicry

Phishers are masters of mimicry and impersonation. They spoof email addresses, website URLs, company logos, and more to closely imitate a trustworthy source. Some even register domain names and build replica sites nearly indistinguishable from the real thing. These tactics allow them to carry out targeted spear phishing campaigns against individuals or organizations.

Technical tricks

Some phishing techniques require advanced technical skills and knowledge to evade detection. Things like obfuscating hyperlinks, hiding malicious redirects in JavaScript code, or including attachments with malware payloads disguised as legitimate files. The more sophisticated the technique, the harder it is for spam filters and email security systems to catch.

Staying vigilant and paying close attention to the details in every email you receive is key. Look for the telltale signs of a phishing attempt and trust your instincts—if something feels off, it probably is. With awareness and caution, you can outsmart the spammers and phishers trying to outsmart you.

Raising Cybersecurity Awareness to Stop Phishing

To effectively combat phishing, organizations need to implement regular cybersecurity awareness training for employees. ### Educate on the Anatomy of a Phish

Teach your staff how to scrutinize emails for signs of phishing like:

• Urging immediate action or response
• Requests for sensitive info like passwords or account numbers
• Poor grammar or spelling errors
• Threats or unrealistic offers

Explaining the parts of an email header can help employees detect spoofed senders. The header shows the email's path from sender to recipient, with details like:

1. Return-Path - Where bouncebacks go, often faked in phishing emails.
2. Received - Timestamps and servers the email passed through. Multiple unknown servers could indicate a phish.
3. From - Sender's name and email, easily forged.

Build a Phishing Simulation Program

Running simulated phishing campaigns helps build awareness and muscle memory in spotting attacks. Use emails with:

• Realistic scenarios and sender names
• Links to training resources if clicked
• Follow up to reinforce learning

Promote a Culture of Vigilance

• Share news of the latest phishing techniques and real examples of phishing emails detected.
• Recognize and reward employees who report phishing attempts.
• Repeat training and run simulations regularly—awareness fades over time without reinforcement.

Phishing is one of the biggest threats businesses face today. With education and practice at the center of your cybersecurity strategy, employees can become your best defense against these harmful attacks. Continuous awareness and vigilance are key to stopping phishing in its tracks.

FAQ: Common Questions About Email Headers and Phishing Detection

What do the “From,” “To,” and “Subject” fields tell me?

The “From,” “To,” and “Subject” fields in an email header are easily spoofed by phishers and can’t be solely relied upon. However, there are a few things you can look for:

• Does the “From” address match who the email claims to be from? If not, that’s a red flag.
• Is the “To” address a mass mailing or does it specifically name you? Phishers often use mass mailings.
• Is the subject line urgent, alarming or too good to be true? If so, it’s probably phishy.

What other fields should I examine?

Other useful header fields for phishing detection include:

• Received: Shows the path the email took to get to you. Look for unfamiliar servers or IP addresses, as phishers often spoof these.
• DKIM/SPF: Used to verify the sender’s identity. If missing or invalid, it could indicate a phishing attempt.
• Message-ID: Should be unique. If duplicated, it’s likely phishing.
• Date: Check if the date/time seems logical. Phishers may use dates in the future or past.
• Reply-To: Should match the “From” address. If not, it’s probably phishing.

What tools can I use to analyze email headers?

Free tools like MxToolbox's Email Header Analyzer allow you to enter an email header and get an analysis of the fields and whether anything seems phishy. These tools check all the indicators discussed above and more to determine the likelihood of an email being legitimate or phishing. While not perfect, email header analysis tools provide a good first line of defense against phishing.

Reading email header on outlook

To determine if an email is legitimate or phishing, reading the header details can provide some clues. The header contains metadata about the email that many users overlook.

Check the sender’s email address

Examine the email address of the sender, not just the display name. Phishers often spoof the display name to appear like a legitimate company. But the actual email address may look suspicious, like “[email protected]”. Legitimate companies use email addresses that match their domain name.

Inspect the IP address

The header will show the IP address of the computer that sent the email. Do a search for the IP address to see its origin and whether it’s been used to send spam before. Most legitimate companies use dedicated IP addresses that remain consistent.

Analyze the subject line

Phishing emails frequently have urgent or alarming subject lines, often with spelling and grammar mistakes, to provoke a quick emotional response. Legitimate companies are more likely to address you by name and have a professional subject line.

Check for encryption

See if the header says the email is encrypted (ex. TLS or SSL). Most reputable companies use encryption to protect communications. If an email claims to be from your bank but lacks encryption, that’s a red flag.

Look for inconsistencies

Compare the details in the header with what you know about the company. Do the sender, IP location, and content all match and make sense coming from that organization? Any mismatches, however small, could indicate a phishing attempt trying to appear legitimate.

Staying vigilant about the signs of phishing and verifying email headers can help reduce the chances of becoming a victim of phishing or a related scam. Take an extra moment to analyze emails before clicking links or downloading attachments. Your security is worth it!

Reading email header on gmail

Finding the “Show Original” Option

To view the full header of an email in Gmail, select the triple dot “More” menu at the top of the email. Choose “Show original” from the options. This will open a new window displaying the raw code behind the email.

• The header contains information like the sender's IP address, the path the email took to reach you, and the exact date and time it was sent.
• Scrolling through the header can help identify any delivery delays or determine if an email is legitimate or spam.

Reading the Header Details

The header is full of useful details, though the format may look complicated. Here are a few key things to look for:

1. The “Received” lines show the path the email took to get to you, including any servers it passed through. Multiple hops could indicate a spam email.
2. The “From” address should match the sender displayed in your inbox. A mismatch suggests a spoofed email.
3. The “Subject” should also match. Differences here point to a phishing email.
4. Check the “Date” to ensure the email wasn’t sent in the future. If so, it’s likely spam or a scam.
5. Compare the sender's listed “IP address” to the domain in their email address. They should correlate to determine if the sender is impersonating someone else.

Staying Vigilant

Viewing email headers is a useful way to gain insight into the messages you receive and detect phishing or spam. While the details may seem complicated, focusing on a few key areas like sender info, subject lines, and IP addresses can help determine an email’s legitimacy. Staying vigilant and double checking suspicious messages is one of the best ways to avoid fraud and scams. If something still seems off about an email after viewing the header, it’s best to delete it.

So now you know what's hiding behind the scenes in those phishing emails that land in your inbox. Next time one arrives, take a few seconds to check the header details. Look for inconsistencies in the sender info or a sketchy reply-to address. See if the message is coming from an unexpected place or claims you won a prize you never entered. The clues are there if you know where to look. Staying vigilant and verifying those little details can help keep you safe from phishing attacks. Knowledge is power, my friend, so keep honing those email investigation skills. The scammers may get trickier, but with practice you'll be able to spot their shady messages from a mile away. Stay safe out there!