Check email header information for signs of spoofing

by | Jan 17, 2019 | Email, Security

Think about this scenario: A friend tells you that they received a message from your email address that wasn’t really sent from you. They think you’ve been hacked and your account is sending malicious emails to friends. How do you know if your email address account has been compromised, or if this malicious attempt is just spoofing your email address?

Email “spoofing” means that an attacker is impersonating you by pretending to send an email from your account. The recipient of the email will see your email… but if you dig deeper into the email message’s contents, you can often see whether the email was truly sent from your account or only made to appear so.

This type of impersonation is possible because email messages can show a difference between “display” information and the actual information embedded in what’s called the “email header”. Spoofing is an attempt to forge the email header, taking advantage of email protocols’ lack of authentication.

How do you view an email header or the “original message”?

  • In Gmail, while viewing the email, click the More icon (three vertical dots) at the top right and select “Show original” from the list.
  • In Outlook, open the email, then go to File > Properties and look in the Internet headers

If the authenticated sender, or “from” address, in the email’s properties matches your email address, then your account was compromised. But if the sender’s email address in the properties isn’t your address, then it may have simply “spoofed” your email while actually sending from a different account.

It always pays to check email message discrepancies. Keep an eye out for display names and “from” addresses that don’t seem to match each other, or don’t match the original message properties.