Find out how to identify a spoofed message.
Ìý
Check the email header
Ìý
Unfortunately it is very easy to manually change the ‘To’ and ‘From’ fields to give fake information, so it can be easy to catch people out. You should always be aware of this when reading your email, even emails that have come from a trusted sender.
For example, the message below looks like it has come from UCL IT Services desk.
But look closely at the address next to the display name 'IT Services'.
- The FromÌýemail address does not match the display name.
- Even though 'UCL' is in the From email address, it is not the legitimate IT Services UCL email address.Ìý
- You should also hover over the 'click here' link. Does it go to a UCL address (https:///....)Ìýor elsewhere?
Check the Return-Path
Another option is to check where the Return-Path goes.ÌýThe Return-Path identifies where the message originated.
Note: it is possible to forge the Return-Path, but it is not done as often.
How to check the Return-Path
- Open the message in a new windowÌýby double-clicking on it.
- In the new window, click on File and then Properties.
- In theÌýInternet headersÌýsection of the Properties window, scroll down until you see Return-Path. Look at the address. Is it legitimate?
If you're not sure, do not reply to the message. It is best to contact the supposed sender by phone, TeamsÌýor using a new outgoing email message using their real email address to check if the message really came from them.
What to do if you have clicked on a link in a suspicious email
If you have responded to a spoofed email and would like advice please contact ISG via: .