CHAPTER 15Forensically Examining Emails
There are times when an email arrives in your inbox when you are not immediately sure if the email is a phishing email or not. Chapter 15 will cover many of the ways anyone can use to further inspect an email to see if it is likely to be a phishing attempt or not.
Why Investigate?
Why would anyone want to further investigate a suspected or confirmed phishing message? Well, there are a lot of reasons, including the following:
- Confirm the fraud.
- Confirm details.
- Recognize patterns and phishing campaigns.
- Use findings to create future prevention, detection, and response controls.
- See specific details and attempts to gain general education and awareness.
- Spot new types of phishing and hacks.
- Confirm who it is not from.
If you are like me, you're just curious about how a particular phishing message works, where it is from, and what tricks it uses to fool unsuspecting victims. I'm especially interested when a phishing message uses a new trick that hasn't been used before (or at least I haven't seen it before). My natural curiosity often sends me down the forensic investigation rabbit hole.
Why You Should Not Investigate
Futilely hoping that you can identify the real sender of a phishing message and get them detained and prosecuted by the authorities is probably not a realistic reason for a forensic investigation. People who receive phishing messages frequently reach out to me because they want help in identifying the real-world identity ...