I want to be able to spot a phishing email. What are the things to check when investigating and doing forensics on one?
There are some things I know to look for already but I want to get moer technical with it. Here are some things I already look for:
- verify the sender (actually looking at the senders email rather than just the displayed name)
- hover over the link in the email and look at the URL address listed at the bottom. If the URL looks suspicious, dont click it. I almost never click links in my email anyways.
- only attached .txt files are safe, otherwise I do not download anything attached to the email unless I was expecting it and I verified it is from the person I knew it was supposed to come from. Found a good write up here on how to check attachments https://security.stackexchange.com/a/32931/22691
- I believe there is a way to check the header of the email. Checking the domain name and IP address in the “Received” field which will validate if it was spoofed by a email spoofing site or someone with a suspicious email address. If it is just the IP address you can check it using a site like whois.com.
- Also checking the validation results in the Received-SPF field in the header. Mail sent from permitted servers will show up as “Pass” in the Received-SPF field, which is a very strong indicator that the email is legitimate. If the results show “Fail” or “Softfail”, that’s a sign the email may be spoofed, though it’s not 100% certain since some domains don’t keep their SPF records up to date, resulting in validation failures.
- Look out for how the email was written. If it is misspelled a lot, similar spellings to what you would expect making it look suspicious, sounds urgent or threatning, asking for any personal data like passwords/social security numbers/etc
Is there anything that I am missing?