There are times when an email arrives in your inbox when you are not immediately sure if the email is a phishing email or not. Chapter 15 will cover many of the ways anyone can use to further inspect an email to see if it is likely to be a phishing attempt or not.

Why Investigate?

Why would anyone want to further investigate a suspected or confirmed phishing message? Well, there are a lot of reasons, including the following:

• Confirm the fraud.
• Confirm details.
• Recognize patterns and phishing campaigns.
• Use findings to create future prevention, detection, and response controls.
• See specific details and attempts to gain general education and awareness.
• Spot new types of phishing and hacks.
• Confirm who it is not from.

If you are like me, you're just curious about how a particular phishing message works, where it is from, and what tricks it uses to fool unsuspecting victims. I'm especially interested when a phishing message uses a new trick that hasn't been used before (or at least I haven't seen it before). My natural curiosity often sends me down the forensic investigation rabbit hole.

Why You Should Not Investigate

Futilely hoping that you can identify the real sender of a phishing message and get them detained and prosecuted by the authorities is probably not a realistic reason for a forensic investigation. People who receive phishing messages frequently reach out to me because they want help in identifying the real-world identity ...