Skip to main content
All CollectionsSecurity & PrivacyMalicious email
How do I scan email headers to identify phishing attempts?
How do I scan email headers to identify phishing attempts?

Understand how to identify and authenticate email spoofing attempts, and what to do if you interact with a malicious email.

Updated over 9 months ago

Phishing emails are one of the most common types of cyber attacks used by criminals, and are most typically used to infect your computer, or steal user data through a technique called email spoofing.

Email spoofing tricks users into thinking that a message they received originated from a known or trusted source—in most cases, a colleague, vendor, or brand. In these attacks, the sender forges email headers to display a fake sender address, which most users believe to be authentic.

If you receive an email that seems suspicious:

  1. Verify that the sender’s email address has a valid username and domain name. Suspicious email addresses often look similar to “John Doe <johndoe.%[email protected]>”;

  2. Verify that the sender of an email is trusted/known, and that the tone of the message is consistent with the sender;

  3. Scan for grammatical errors, typos, or anomalies in the body of the email. Legitimate messages from companies rarely contain these types of errors;

  4. Consider the message’s tone and what is being offered. If it seems threatening or too good to be true, there’s a high probability that it’s a phishing attempt; and

  5. Take note of what’s being asked of you. the majority of companies won’t request sensitive or personal information via email.


Another way to verify the authenticity of an email is by reviewing the email’s header for clues.

  1. Confirm that the 'From:' email address matches the display name. The from: address may appear legitimate at first, but closer inspection of the email headers could reveal that the email address actually associated with the display name originated from someone else.

  2. Ensure that the 'Reply-To' header matches the source. This is typically hidden when receiving the message, and is often overlooked when responding. If the reply-to address doesn’t match the sender or the site that they claim to be from, there is a high probability that it’s been forged.

  3. Locate where the 'Return-Path' goes. The return-path identifies where the message originally came from. While it’s still possible to forge the Return-path in a message header, it’s not a commonly used tactic.


If you accidentally interact with a malicious email, stay calm and:

  1. Stop using your device;

  2. Disable Wi-Fi or disconnect any network cables so your device can’t connect to the Internet;

  3. Power off your device;

  4. Contact your IT security department if you’re using a corporate device. They can disable accounts and other device features;

  5. Change your password, passphrase, or PIN using a different device;

  6. Scan the device using anti-malware software if possible;

  7. Restore network connections only when you achieve a clean system;

  8. Perform any available updates and security patches on your device; and

  9. Monitor your accounts regularly for suspicious activity.

Did this answer your question?