Phishing & IP Addresses: Can You Report It?

TL;DR

Knowing a phishing attacker’s IP address isn’t enough to get them prosecuted directly, but it’s valuable evidence for law enforcement. You need to report the incident to the police and/or relevant cyber security organisations like Action Fraud in the UK. They will investigate and may require further information from you.

Reporting a Phishing Attack

1. Gather Evidence: Before reporting, collect as much evidence as possible.
   • The phishing email itself (save it as an .eml file if possible).
   • Any links clicked in the email.
   • Screenshots of any websites involved.
   • The attacker’s IP address (see below for how to find this).
   • Dates and times of all interactions.
2. Find the Attacker’s IP Address: There are a few ways to potentially get an IP address, but it isn’t always straightforward.
   • Email Header Analysis: The email header often contains originating server information which *may* include the attacker’s IP. This is technical; use an online email header analyzer tool (search for ’email header analyzer’). Look for lines starting with ‘Received from’ or similar. Be aware that attackers frequently spoof headers, so this isn’t always reliable.

     Example Header Snippet:
     Received: from mailserver.example.com ([192.0.2.1]) by your-mail-server.com
     

   • Links in the Email: If you *carefully* hover over a link (without clicking!), it might show the actual URL, which could reveal an IP address instead of a domain name.

     Warning: Do not click on links in phishing emails! Hovering is safer but still carries some risk.

   • Website Analysis (If you visited a site): If the email led you to a website, use an online tool like WhatIsMyIP or similar to look up the IP address associated with that domain.
3. Report to Action Fraud: This is the UK’s national reporting centre for fraud and cyber crime. You can report online at Action Fraud or by calling 0300 123 2040.
   • Provide all the evidence you collected in step 1, including the IP address.
   • They will assess the report and may pass it on to specialist police units.
4. Report to Your Email Provider: Most email providers (Gmail, Outlook, etc.) have a way to report phishing emails. This helps them improve their filters.
5. Report to the National Cyber Security Centre (NCSC): While they don’t directly investigate individual cases, reporting to the NCSC (NCSC) helps them understand trends and improve overall cyber security in the UK.

Why an IP Address Isn’t Enough for Prosecution

• IP Addresses Can Be Dynamic: Many internet service providers (ISPs) assign dynamic IP addresses, meaning they change over time. The IP address you have now might not be the same one the attacker used at the time of the phishing attack.
• Proxy Servers & VPNs: Attackers often use proxy servers or Virtual Private Networks (VPNs) to hide their real IP address. This makes it difficult to trace the attack back to them.
• Location Doesn’t Equal Identity: An IP address only tells you the general location of the attacker’s internet connection, not their identity.
• Jurisdictional Issues: The attacker might be located in another country, making prosecution more complex.

What Happens After You Report

Law enforcement will investigate based on the evidence provided. They may:

• Request further information from you.
• Work with ISPs to identify the owner of the IP address (if possible).
• Collaborate with international authorities if the attacker is located abroad.