Your CFO just forwarded you a suspicious email. The sender claims to be from your bank. There's an urgent "verify your account" link, and the language is just polished enough to sound legitimate — but something feels off. Two employees in the finance department may have already clicked. You have about 30 minutes before whatever payload sits behind that link starts doing real damage: stolen credentials get used, malware phones home, or a fraudulent wire transfer clears.
Here's your forensic investigation checklist — seven steps, in the order that matters, with time estimates for each. This is not a general overview of how phishing works. This is the procedure you follow when a suspicious email lands in your inbox and you need to determine, quickly, whether it's a threat and how far the damage has spread.
Investigation checklist
- Before you start: preservation rules
- Step 1: Analyze the sender (2 min)
- Step 2: Examine the email headers (5 min)
- Step 3: Analyze links without clicking (3 min)
- Step 4: Analyze attachments without opening (3 min)
- Step 5: Check if anyone clicked (5 min)
- Step 6: Determine the phishing type
- Step 7: Report and respond
- Red flags cheat sheet
- Frequently asked questions
Before You Start: Preservation Rules
The first instinct when receiving a suspicious email is to do something — forward it to IT, click the link in a sandbox, reply to the sender to confront them. Resist every one of these impulses until you've secured the evidence. Phishing investigations have a chain-of-custody problem: if you modify, forward, or interact with the email before documenting it, you lose forensic data that might matter later.
Do NOT:
- Click any link in the email — not even to "see where it goes"
- Open any attachment — not even a PDF, not even on your phone
- Forward the email to colleagues (this spreads the threat and may trigger embedded tracking)
- Reply to the sender (confirms your address is active and monitored)
- Delete the email (you need it as evidence)
DO (before anything else):
- Screenshot the email as it appears in your inbox (visual evidence of display name, subject, preview)
- Screenshot the full email body with all links visible
- View the full message source/raw headers (Gmail: "Show original" — Outlook: File > Properties > Internet Headers)
- Save the raw
.emlfile if your client supports it (Thunderbird: File > Save As) - Note the exact time of receipt and everyone who received the same message
- If on a corporate network, note the message ID from headers for log correlation later
These preservation steps take 60 seconds and will save you significant headaches if the investigation escalates to law enforcement, legal review, or a formal incident response.
Step 1: Analyze the Sender Step 1~2 min
The sender field is the first thing most people look at and the easiest thing for an attacker to fake. Every email client shows a "display name" that the sender controls entirely. The actual sending address is often hidden behind that display name unless you deliberately look at it.
Display name vs. actual address
Phishing emails routinely use display names that impersonate legitimate companies while the actual address comes from a completely different domain:
What you see vs. what's real
Display name: Bank of America Security Team
Actual address: [email protected]
The display name looks right. The address is a lookalike domain with a zero instead of an "o" and an added "-verify" suffix. In a mobile email client with limited screen space, many people never see the actual address.
Check the domain for typosquatting
Attackers register domains that look nearly identical to legitimate ones. The most common substitutions:
- rn → m —
rnicrosoft.comlooks likemicrosoft.comin many fonts - 0 → o —
g00gle.comforgoogle.com - l → 1 —
paypa1.comforpaypal.com - Added suffixes —
amazon-security.com,microsoft-verify.net - Different TLD —
chase.coinstead ofchase.com
WHOIS the sending domain
Legitimate corporate domains are typically registered years or decades ago. Phishing domains are disposable — registered days or weeks before the campaign launches and abandoned once they're flagged.
Use our WHOIS lookup tool to check the sending domain's registration date. A domain registered within the last 30 days that claims to be from a major financial institution is almost certainly phishing. Also check the registrant: phishing domains typically use privacy-protected registration through budget registrars.
Check for SPF and DKIM records
Legitimate companies that send transactional email always publish SPF and DKIM DNS records. Use our DNS Record Locator to check the sender's domain for TXT records. If a domain claiming to be your bank has no SPF record and no DKIM key in DNS, the domain was set up hastily and is not the real thing.
Step 2: Examine the Email Headers Step 2~5 min
Email headers are the forensic backbone of any phishing investigation. They tell you where the email actually originated, which servers handled it, and whether the authentication checks passed or failed. For a full tutorial on reading headers, see our Email Header Analysis Guide. Here, we focus on what to look for during an active investigation.
Extract the headers
Paste the raw headers into our Email Header Analysis tool for an automated breakdown. The tool will parse the Received chain, authentication results, and routing information — saving you from reading raw header text line by line.
Trace the Received chain
Read the Received: headers from bottom to top — the bottom-most header is the originating server. What you're looking for:
- Does the originating IP match the claimed sender? If the email claims to be from Chase but originates from an IP address in Romania, that's a strong indicator of phishing.
- Are there unexpected relay hops? Legitimate corporate email typically passes through 2–3 servers (sender → sender's gateway → recipient's gateway). Six or seven hops through residential IPs or VPS providers are suspicious.
- Can you geolocate the sending IP? Run it through our IP lookup tool to see the country, ISP, and connection type. A "Bank of America" email originating from a residential IP in Lagos or a VPS in Amsterdam is not legitimate.
Check authentication results
Look for the Authentication-Results header (added by the receiving server). The three key checks:
| Check | Pass means | Fail means | During investigation |
|---|---|---|---|
| SPF | Sending server is authorized by the domain | Server is not in the domain's allowed sender list | spf=fail from a corporate sender = almost certainly spoofed |
| DKIM | Email content hasn't been modified and signature is valid | Signature missing, invalid, or email was altered | dkim=fail or dkim=none from a major provider = suspicious |
| DMARC | Both SPF and DKIM align with the From domain | Authentication doesn't match the claimed sender domain | dmarc=fail = the domain owner's own policy says this email isn't legitimate |
chase-security.com and sets up proper SPF, DKIM, and DMARC for that domain, authentication will pass. It just proves the email came from chase-security.com — not that chase-security.com has any connection to Chase Bank. Authentication tells you if the email is legitimately from the domain in the From field. You still have to verify that the domain itself is legitimate.Step 3: Analyze the Links Without Clicking Step 3~3 min
Phishing emails almost always contain at least one malicious link. The goal of this step is to extract every URL from the email and analyze them without visiting any of them.
Extract the real URLs
Never trust the visible link text. Hover over links to see the actual URL in your email client's status bar, or — better — view the message source (HTML) and search for href= to find every link destination. Common deceptions:
- Mismatch: Link text says
https://www.chase.com/verifybut thehrefpoints tohttps://chase-verify.evil-domain.net/login - URL shorteners:
bit.ly,tinyurl.com, oris.gdlinks hide the destination entirely. Expand them at checkshorturl.com without clicking. - Data URIs:
data:text/html;base64,...links embed an entire phishing page in the URL itself — no external hosting needed - Tracking parameters: Look for URL parameters like
?uid=,?email=, or?id=that could identify you as a specific recipient, telling the attacker you opened the email
Common phishing URL patterns
Phishing URLs follow recognizable patterns once you know what to look for:
login.microsft-verify.com— not Microsoft (misspelling + added suffix)docs-google.accountverify.net— not Google (the real domain isaccountverify.net)apple.com-secure-id.xyz— not Apple (the real domain iscom-secure-id.xyz)192.168.x.xor raw IP addresses — no legitimate company sends you to an IP address
Check URLs on scanning services
Submit suspicious URLs (by copying, never by clicking) to these free services:
- VirusTotal (virustotal.com) — scans the URL against 90+ security engines. Paste the URL in the "URL" tab.
- urlscan.io (urlscan.io) — takes a screenshot of the page and analyzes its behavior without you visiting it. Shows you exactly what the phishing page looks like.
- Google Safe Browsing (transparencyreport.google.com) — checks if Google has already flagged the URL
If the URL is already flagged by multiple engines on VirusTotal, you have strong confirmation of phishing. If it's clean across the board, the campaign may be new enough that scanners haven't caught it yet — absence of detection is not proof of legitimacy.
Step 4: Analyze Attachments Without Opening Step 4~3 min
If the phishing email has attachments, the goal is to assess risk without executing them. Modern phishing has moved well beyond the .exe attachment — although those still appear — and into file types that most people consider "safe."
Immediately suspicious file extensions
These file types can execute code directly on Windows and should never be opened from an unsolicited email:
.exe,.scr,.bat,.cmd,.com— direct executables.js,.vbs,.wsf,.ps1— script files that Windows will execute by default.msi,.dll— installer and library files.hta— HTML Application, runs with full system access.iso,.img— disk images that auto-mount on Windows 10/11, increasingly used to deliver malware
The double extension trick
Windows hides known file extensions by default. An attacker names a file invoice.pdf.exe, and Windows displays it as invoice.pdf with a PDF icon. The user thinks they're opening a PDF. They're running an executable. Always check the full filename in the raw email source or by right-clicking and checking properties.
Office documents with macros
Files with .docm, .xlsm, or .pptm extensions contain macros — executable code embedded in Office documents. These are one of the most common malware delivery mechanisms. Even regular .doc and .xls files (the old binary format) can contain macros without the "m" extension hint. If an unsolicited email asks you to "Enable Editing" and then "Enable Content," it is almost certainly attempting to execute malicious macros.
HTML attachments
An increasingly common phishing vector: the email contains an .html or .htm file attachment. When opened, it renders a local phishing page in the browser — often a convincing replica of a login page for Microsoft 365, Google Workspace, or a bank. Because it's local, it may not trigger web-based security filters. The entered credentials are sent to the attacker's server via JavaScript.
Password-protected archives
A ZIP or RAR file that requires a password (provided in the email body) is suspicious by design. The password protection exists for one reason: to prevent email security gateways from scanning the contents. Legitimate businesses do not routinely send password-protected archives via unsolicited email.
Check file hashes on VirusTotal
If you can extract the attachment without opening it (most email clients allow "Save As"), compute its SHA-256 hash and look it up on VirusTotal. On Windows: certutil -hashfile filename.ext SHA256. On Mac/Linux: shasum -a 256 filename.ext. If the hash has been seen before, VirusTotal will show you detection results from 70+ antivirus engines without you ever opening the file.
Step 5: Check If Anyone Clicked Step 5~5 min
This is where the investigation shifts from analysis to damage assessment. If the phishing email reached multiple people in your organization, you need to determine whether anyone interacted with it.
Email gateway and security logs
Search your email security platform (Microsoft Defender for Office 365, Proofpoint, Mimecast, Google Workspace Security) for:
- All recipients of the same message (use the Message ID from headers)
- Click telemetry — many email security platforms log URL clicks from rewritten/protected links
- Whether the email was quarantined for any recipients but delivered to others
DNS and proxy logs
If you operate a corporate network with DNS logging or a web proxy:
- Search DNS query logs for the phishing domain — any internal machine that resolved it likely visited the site
- Search web proxy logs for outbound connections to the phishing URL
- Check the timeframe from when the email arrived to the present
Ask recipients directly
Contact anyone who received the email through a separate channel (phone, Slack, Teams — not by forwarding the phishing email). Ask specifically: "Did you click any link or open any attachment in the email from [sender] about [subject]?"
If clicks are confirmed
Immediately escalate. The response depends on what the phishing email was trying to do:
- If credentials were entered: Reset the compromised password immediately. Enable MFA if not already active. Check the account's recent login history, sent items, and mail forwarding rules. Attackers often create forwarding rules to maintain access even after a password reset.
- If a file was downloaded/opened: Isolate the machine from the network. Do not shut it down (this can destroy forensic artifacts in RAM). Contact your IT security team or incident response provider for forensic imaging.
- If it was a BEC email and a wire transfer was initiated: Contact your bank immediately. Wire transfers can sometimes be recalled within the first 24–72 hours. File a complaint with IC3 (ic3.gov) and request the FBI's Recovery Asset Team (RAT) involvement for large amounts.
Step 6: Determine the Phishing Type Step 6~2 min
Classifying the attack helps you respond proportionally and report accurately. Phishing is not one thing — it's a category that includes several distinct attack types with different goals, methods, and damage potentials.
| Type | Goal | Key indicators |
|---|---|---|
| Credential phishing | Steal login usernames and passwords | Fake login page, "verify your account" language, link to an external site mimicking a real service |
| BEC (Business Email Compromise) | Trick an employee into a wire transfer or data disclosure | Impersonates CEO/CFO/vendor, changes payment details, urgency about invoices or deals, often no malicious link at all — just social engineering |
| Malware delivery | Install ransomware, trojans, or info-stealers | Attachment-focused, unusual file types, macro-enabled documents, asks you to "Enable Content" |
| Spear phishing | Targeted attack on a specific person | Uses personal details (your name, role, current projects), references real colleagues, often more carefully crafted than bulk phishing |
| Multi-channel / vishing | Combine email with phone or SMS | Email references a phone call ("as discussed"), includes a phone number to call, or precedes a call that references the email for credibility |
Step 7: Report and Respond Step 7~5 min
Reporting serves two purposes: it helps take down the phishing infrastructure, and it creates a paper trail that protects you and your organization if the attack succeeds partially.
Report to your email provider
- Gmail: Open the email → click the three-dot menu → "Report phishing"
- Outlook: Select the email → "Report message" in the ribbon → "Phishing"
- Apple Mail: Forward the email as an attachment to
[email protected]
These reports feed the provider's spam and phishing filters. When enough people report the same message, the provider can retroactively remove it from other recipients' inboxes.
Report to the impersonated organization
Most major companies have a dedicated phishing report address:
- PayPal:
[email protected] - Microsoft:
[email protected] - Google:
[email protected] - Apple:
[email protected] - Amazon: Report via their Message Center or forward to
[email protected]
For other companies, check for an abuse@ address or look for "report phishing" on their website.
Report to anti-phishing organizations
- APWG: Forward the phishing email to
[email protected]— the Anti-Phishing Working Group aggregates reports and shares with law enforcement and security vendors - FTC (US): reportfraud.ftc.gov
- IC3 (US, if financial loss occurred): ic3.gov
- Action Fraud (UK): actionfraud.police.uk
- NCSC (UK): Forward to
[email protected]
Block and contain
- Block the sender's domain at your email gateway (not just the individual address — attackers rotate addresses within a domain)
- Add the phishing URL and domain to your firewall or web proxy blocklist
- If you have threat intelligence sharing, push the indicators (domain, URL, IP, file hash) to your TI platform
- If credentials were compromised: force password reset, revoke active sessions, enroll in MFA, check for created forwarding rules or OAuth app grants
- If malware was executed: isolate the affected machine, initiate forensic imaging, assess lateral movement risk
Red Flags Cheat Sheet
Print this, bookmark it, or pin it somewhere visible. When you're triaging a suspicious email under pressure, this is the quick-reference checklist that surfaces the most reliable indicators.
Sender Red Flags
- Display name doesn't match the email address
- Sending domain registered within the last 30 days
- Free email service (Gmail, Yahoo, Outlook) impersonating a company
- Reply-to address is different from the sender
- Domain uses typosquatting (rn for m, 0 for o, 1 for l)
Content Red Flags
- "Your account will be suspended in 24 hours"
- Generic greeting: "Dear Customer" or "Dear User"
- Grammar or spelling errors in corporate communication
- Requests credentials, payment info, or personal data
- "Click here to verify" / "Confirm your identity"
- Unexpected urgency about routine matters
Technical Red Flags
- SPF, DKIM, or DMARC failures in headers
- Links don't match the claimed destination
- Attachments with executable extensions
- HTML loads remote images (tracking pixels)
- Sending time inconsistent with claimed sender's timezone
- Originating IP in a different country than claimed sender
Attachment Red Flags
- Double extensions:
invoice.pdf.exe - Macro-enabled Office documents (
.docm,.xlsm) - Password-protected ZIP/RAR (password in the email body)
- HTML file attachments (local phishing pages)
- ISO/IMG disk image files
- "Enable Content" or "Enable Editing" prompts
Frequently Asked Questions
What should I do if I already clicked a phishing link?
Change your password immediately for any account you may have entered credentials on. Enable multi-factor authentication if it's not already active. Check the account for unauthorized activity: look at recent login history for unfamiliar locations, check sent items for messages you didn't write, and look for new forwarding rules (attackers add these to maintain access). Run a full malware scan on the device you clicked from. If it was a work account, contact your IT security team immediately — they need to check for lateral movement, meaning whether the attacker used the compromised account to reach other systems.
How can I tell if an email is really from my bank?
Banks will never ask you to verify credentials, account numbers, or personal information via email. They also won't threaten to close your account over email or send you a "secure link" to log in. To verify: check the sender's actual email address (not the display name) by viewing the headers. Then call the bank directly using the number printed on your physical card or found on their official website — never use contact information provided in the suspicious email. Legitimate bank emails will also pass SPF, DKIM, and DMARC authentication checks, which you can verify with our Email Header Analysis tool.
Should I open a suspicious attachment in a sandbox?
Only if you have proper sandboxing tools and the training to use them. Professional-grade options include ANY.RUN (cloud-based interactive sandbox), Joe Sandbox, and Hybrid Analysis. These services detonate files in an isolated environment and record their behavior. For most people, the safer approach is to compute the file's SHA-256 hash and look it up on VirusTotal — if anyone has submitted the same file before, you'll see detection results from 70+ antivirus engines without any risk. Never open suspicious attachments on your regular work machine, even with antivirus running — zero-day malware is, by definition, not in the signature database yet.
How do I report phishing to Google or Microsoft?
In Gmail: open the email, click the three-dot menu in the upper right, and select "Report phishing." In Outlook (desktop): select the email, click "Report message" on the Home ribbon, and choose "Phishing." In Outlook.com (web): select the email, click the three-dot menu, then "Report" → "Report phishing." Both Google and Microsoft use these reports to update their phishing filters and can retroactively remove the same message from other users' inboxes. For maximum impact, also forward the email to [email protected] and, in the US, report at reportfraud.ftc.gov.
What is BEC and why is it the most expensive type of phishing?
Business Email Compromise is a targeted phishing attack where criminals impersonate executives, vendors, or trusted business partners to trick employees into wire transfers, gift card purchases, or sensitive data disclosure. Unlike commodity phishing that casts a wide net, BEC targets specific people with authority to move money and uses social engineering rather than malware. The FBI's Internet Crime Complaint Center (IC3) reported $2.9 billion in adjusted losses from BEC in 2023 alone, making it the costliest category in their annual report. BEC is expensive because it targets high-value transactions — a single successful attack can steal hundreds of thousands of dollars in a single wire transfer — and because the attack exploits human trust rather than technical vulnerabilities, making it harder for security tools to catch.
Investigate Suspicious Emails
Paste email headers into our free analyzer to check authentication, trace sender IPs, and identify spoofing attempts.
Email Header Analyzer WHOIS LookupSources and references: FBI IC3 2023 Internet Crime Report (BEC loss figures); MITRE ATT&CK Technique T1566 (Phishing) and sub-techniques; APWG Phishing Activity Trends Reports; RFC 5321 (SMTP), RFC 7208 (SPF), RFC 6376 (DKIM), RFC 7489 (DMARC). Tool recommendations (VirusTotal, urlscan.io, ANY.RUN, Google Safe Browsing) are based on industry-standard usage in incident response. This article is for informational purposes and does not constitute professional security consulting advice.