You have an email. It looks legit and you really want to click that link, but how do you verify that it’s not a phishing scam (and you’re about to give away personal information, money, or access to your accounts or computer)? Phihing is becoming increasingly common, so it's good to know how to identify a phishing email instead of falling for it.
We will show you where to look to have the best chance possible of identifying a phishing email instead of becoming its victim.
Step 1: Look at the from address
The from address is next, but different from, the display name. The display name can be anything the sender wants to write and is not evaluated as part of the email authentication protocols. Translation- it’s not very trustworthy. The from address is what is typically evaluated for email authentication.
Does the from address make sense? Make sure there are no “typos” or misspellings in the from address domain (the domain is everything after the @). If the company name is misspelled in the from address, that's not a typo. It’s probably a phishing email... Is it what you would expect for the domain of that company? If so, that doesn’t necessarily guarantee it’s legitimate. Sometimes businesses don’t use the domain we would expect to send emails. If it’s something completely off the wall, it could be a phishing attack. NOTE: this step is important because attackers using cousin domains (look-a-like domains that can fool people by appearing to be a particular business- e.g. paypa1.com or usgovdelivery.com) can set up email authentication for their malicious domains. These domains could pass DMARC based on the cousin domain and still be malicious. If you are not sure what the domain should be, you may want to confirm that it is the right email domain for that company. You may be able to do this with a search engine or from looking at other emails you have previously received from that company.
Step 2 check the domain’s DMARC policy
Copy the from address and use Fraudmarc’s DMARC checker to see what that domain’s DMARC policy is. Hopefully, the DMARC policy will help you determine if it’s legitimate or malicious.
Note on subdomains: businesses may use subdomains to send email (i.e send.example.com vs example.com). If you check the subdomain, and there is no policy, check the main domain next. The policy for subdomains can either be a separate policy or included with the policy for the main domain.
- Reject: ????if the policy is Reject and the email landed in your inbox, then it is extremely likely that it is a legitimate email. Emails that fail DMARC are not delivered when the policy is Reject.
- Quarantine: ????if the policy is Quarantine and the email landed in your inbox, it is probably legitimate. Emails that fail DMARC are delivered to the spam folder when the policy is Quarantine.
- None: ????if the policy is None, you won’t be able to tell if it’s legitimate or not without looking further. Emails that fail DMARC are delivered as usual when the policy is None.
- No Policy:???????? If the domain is not using DMARC, there’s no way for you to verify the email other than calling the sender. If you can’t do that, we’d suggest you don’t trust the email. The domain owner has not prioritized security and left you with no way to confirm you’re communicating with the correct person. It would seem they don’t have anything worth communicating to you after all.