Email Spoofing: What to do

TL;DR

You’ve received a suspicious email appearing to be from someone you know (or their friend). It’s likely an attempt at email spoofing. Don’t panic! This guide explains how to investigate and protect yourself.

What is Email Spoofing?

Email spoofing happens when a sender falsifies the ‘From’ address in an email header. It makes it *look* like the email came from someone else. Criminals do this for phishing, spreading malware, or other malicious purposes.

Step-by-Step Guide

1. Don’t Reply or Click Links: This is crucial. Responding confirms your address is active and clicking links could install malware or lead to a fake website designed to steal your information.
2. Contact the Person Directly (Out of Band): The most important step! Call them on their known phone number, text them, or speak to them in person. Do not reply to the email. Ask if they sent the email and if they recognise the content.
3. Examine the Email Header: This is a bit technical but provides valuable clues.
   • Find the Full Header: The method varies depending on your email provider (Gmail, Outlook, etc.).
     • Gmail: Open the email. Click the three vertical dots next to ‘Reply’. Select ‘Show original’.
     • Outlook (Desktop): Double-click the email to open it in a new window. Go to File > Info > Properties. Look for ‘Internet headers’.
     • Outlook (Web): Open the email. Click the three dots and select ‘View source’.
   • Look for Discrepancies: Pay attention to these header fields:
     • Received: from ... – These show the path the email took. Look for unusual server names or IP addresses.
     • Return-Path: ... – This is often different from the ‘From’ address in a spoofed email.
     • SPF (Sender Policy Framework): Should be ‘pass’ if legitimate. A ‘fail’, ‘softfail’, or ‘neutral’ indicates potential problems.

       Received-SPF: pass (google.com: domain of [email protected] designates 5.76.123.45 as permitted sender) client-ip=5.76.123.45;

     • DKIM (DomainKeys Identified Mail): Should be ‘pass’ if legitimate.

       DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=example.com; s=default; t=...

4. Report the Email as Phishing/Spam: Most email providers have a ‘Report phishing’ or ‘Report spam’ button. Use it! This helps them improve their filters.
   • Gmail: Click ‘Report phishing’.
   • Outlook: Select ‘Junk’ > ‘Phishing’
5. Check Your Accounts for Suspicious Activity: If you’re concerned, change your passwords on important accounts (email, banking, social media). Enable two-factor authentication wherever possible.
6. Inform the Person Whose Identity Was Used: Let them know their email address may have been compromised and advise them to be vigilant about suspicious emails they receive. They should also check their own account security.

Further Resources

• National Cyber Security Centre – Email Spoofing
• Google Support – About phishing