Tech Made Simple

Hot Topics: How to Fix Bluetooth Problems | Quell Pain Relief Review | Browse the Web Anonymously | Complete Guide to Facebook Privacy

Use It

author photo

How to Tell if an Email Has Been Spoofed

by on November 01, 2018
in Computer Safety & Support, Computers and Software, Tips & How-Tos, Privacy, Tech 101 :: 8 comments

There are numerous email scams that land in your inbox every day, from malware-ridden attachments supposedly from a friend to IRS impersonators to blackmailers threatening to expose you for watching porn. And what makes many of these scams harder to recognize is that they rely on a “spoofed” email address to make it appear that they are coming from someone you trust (or even your own email address), rather than a scammer 6,000 miles away. So learning how to tell if an email has been spoofed is critical to protecting yourself.

Part of the reason why spoofed emails are so prevalent is that it is incredibly easy to spoof an address. Any mail server can be set up to send from a given domain (e.g. irs.gov), and there are even websites that will let you send one-off emails using any email address for free. But both of these methods leave telltale tracks that give it away as spoofed.

To find these tracks, you need to look at the email header. The header contains critical components of every email – From, To, Date and Subject – as well as detailed information about where the email came from and how it was routed to you. Importantly, it also contains the results of the verification process your email provider used to determine if the sending server has permission to send using that domain (i.e., Is this server authorized to send emails from irs.gov?).

Showing your email headers varies depending on which email service you’re using. For Gmail, open the email and click on the three vertical dots next to the reply arrow and select “Show Original”. For other email programs, you can use this list.

Here’s an example of a spoofed email I sent from an online spoofing service pretending that it came from my own address. Looks pretty real. It says it came from my email address and if I reply, it will go to that same address. In fact, unless it was filtered into my spam box by Gmail, the email will even show up in my Sent folder, which could leave me to believe, incorrectly, that my email was hacked.

spoofed email

But the header information gives it away as spoofed. There’s a lot of technical stuff in here, but you can ignore most of it. The two things that matter the most are the domain name and IP address in the “Received” field and the validation results in the Received-SPF field.

spoofed email header

As you can see above, the domain name this email being sent from is emkei.cz (the email spoofing site), not Techlicious.com, so that’s a dead giveaway. But if the domain name is similar or it’s listed as just an IP address you should check the IP address, too, and see if that passes the smell test. To do that, go to Domain Tools and enter the “from” IP address in the Received field into the Whois Lookup. When I do that with 46.167.245.206 from the example above, it tells me this is a host called emkei.cz out of the Czech Republic – not what I would expect to see if this were really an email sent by Techlicious.

Next, if we look at the Received-SPF field and see that it is a softfail. Sender Policy Framework (SPF) is a way for a domain (e.g., Techlicious.com) to specify what servers are permitted to send mail on its behalf. Mail sent from permitted servers will show up as “Pass” in the Received-SPF field, which is a very strong indicator that the email is legitimate. If the results show “Fail” or “Softfail”, that’s a sign the email may be spoofed, though it’s not 100% certain since some domains don’t keep their SPF records up to date, resulting in validation failures.

Taken together, the sending IP address and the SPF validation will give you a very good sense of whether an email truly comes from the person purported to be sending it. And don’t forget to trust your gut. If an email sounds implausible, it probably is. Don’t respond directly or open any attachments. If it is a company, bank or government organization, find their contact information on the web and contact them directly to see if the email is legit.

Spoofing email is just one way scammers attempt to take advantage of us. So make sure you're also on top of these 7 Common Scams We’re Still Falling For

[Image Credit: BigStock-Woman at Computer]



Discussion loading

gravatar

lookup list

From james on November 03, 2018 :: 1:55 pm

the list you show is not good for yahoo e-mail.

Reply

avatar

Here's how to check email header for Yahoo

From Josh Kirschner on November 05, 2018 :: 10:27 am

To see the email header info in Yahoo, open the email, click the three horizontal dots in the menu at the top of the message, and then hit “View raw message”

Reply

gravatar

What if the SPF-receiver is none?

From Lara on November 08, 2018 :: 2:50 pm

The title says it already.

Reply

avatar

Then it could go either way

From Josh Kirschner on November 09, 2018 :: 11:09 am

While it is best practice to set up up SPF records for a domain and the vast majority of senders do it, not everyone does. So the SPF will show as “none”. In this case, you can’t confirm that it is legitimate nor tell if it is spoofed from the SPF record. So you should use common sense regarding the content of the email and, if you’re still not sure, contact the sender directly to confirm the legitimacy (and yell at them for not having an SPF record).

Reply

gravatar

Your site froze my desktop!

From john on November 10, 2018 :: 7:09 pm

Too many moving parts on this site/page caused freeze on my mac-mini! Took about 5 minutes just to get here to tell you. I was going to share this on FB and Twitter but wouldn’t want to expose contacts to what seems like a malicious site in itself.

Reply

avatar

Thanks for letting us know

From Josh Kirschner on November 12, 2018 :: 6:35 pm

We monitor the performance of the site regularly to manage performance across devices. However, it’s possible that one of our ad partners was delivering a new ad that may have impacted performance, especially if you’re running on an old device. I’ll keep an eye on things to see if I can spot the issue. But rest assured, there is nothing malicious going on with the site.

Reply

gravatar

Another Way to Check for Spoofed Email: Return Address of Sender

From Skeeter Sanders on November 12, 2018 :: 3:23 pm

I use Microsoft Outlook (formerly Hotmail) as my primary email service. I’ve noticed that every time I get a “spoofed” email, the sender’s address shows up right in the heading.

I’mot sure if Microsoft’ anti-phishing system is configured to expose the sender’s true email adress to its users, but there have been plenty of instances in which an email supposedly coming from a major company (i.e., PayPal) shows a reutrn address that shows anything BUT “paypal.com.” I immediately report it to Microsoft as a “Phishing Scam,” using Outlook’s drop-down reporting menu.

Microsoft has long had a very aggressive anti-spam filter—far more aggressive than either Gmail or Yahoo Mail—so why would it not also have an aggressive anti-phishing filter that exposes the sender’s true email address? I’ve used Hotmail/Outlook for more than a decade and I’ve never been fooled by spam or malware-infected email.

Reply

gravatar

scam but they mentioned my former password correctly

From JBof4 on November 16, 2018 :: 4:09 am

I too received this email introducing himself, expalining how he hacked my sbc email through router, asking for 800.00 bitcoins, the threats don’t concern me, but the fact he said he would give proof by noting my password at the time of hack, it was correct (well a few letters were missing but he had the remaining exactly.  He said he hacked my email summer 2018.  Im ignorant as to my next steps, change password again, but he said he’s following me and will still get new password, said he’s got access to my camera and takes pic of me.  Creepy.  I know its a scam, Im a middle age mom & do not watch pornography, what worries me, is he referring to my iPhone or Mac or both and how did he get my password, and can he get my new password once I change it?
Thank you.

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships
Newsletter Archive
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.

site design: Juxtaprose