CHAPTER 15Forensically Examining Emails

There are times when an email arrives in your inbox when you are not immediately sure if the email is a phishing email or not. Chapter 15 will cover many of the ways anyone can use to further inspect an email to see if it is likely to be a phishing attempt or not.

Why Investigate?

Why would anyone want to further investigate a suspected or confirmed phishing message? Well, there are a lot of reasons, including the following:

  • Confirm the fraud.
  • Confirm details.
  • Recognize patterns and phishing campaigns.
  • Use findings to create future prevention, detection, and response controls.
  • See specific details and attempts to gain general education and awareness.
  • Spot new types of phishing and hacks.
  • Confirm who it is not from.

If you are like me, you're just curious about how a particular phishing message works, where it is from, and what tricks it uses to fool unsuspecting victims. I'm especially interested when a phishing message uses a new trick that hasn't been used before (or at least I haven't seen it before). My natural curiosity often sends me down the forensic investigation rabbit hole.

Why You Should Not Investigate

Futilely hoping that you can identify the real sender of a phishing message and get them detained and prosecuted by the authorities is probably not a realistic reason for a forensic investigation. People who receive phishing messages frequently reach out to me because they want help in identifying the real-world identity ...

Get Fighting Phishing now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.