How to Investigate a Phishing Email: A Step-by-Step Forensic Checklist

March 5, 2026 | 14 min read | Security
Home / Blog / Phishing Email Investigation

Your CFO just forwarded you a suspicious email. The sender claims to be from your bank. There's an urgent "verify your account" link, and the language is just polished enough to sound legitimate — but something feels off. Two employees in the finance department may have already clicked. You have about 30 minutes before whatever payload sits behind that link starts doing real damage: stolen credentials get used, malware phones home, or a fraudulent wire transfer clears.

Here's your forensic investigation checklist — seven steps, in the order that matters, with time estimates for each. This is not a general overview of how phishing works. This is the procedure you follow when a suspicious email lands in your inbox and you need to determine, quickly, whether it's a threat and how far the damage has spread.

Looking for the theory? This article is the practical companion to our Email Header Analysis Guide, which covers how SPF, DKIM, and DMARC work, how to read Received headers, and which providers strip IP data. If you already understand header fundamentals and need an investigation workflow, you're in the right place.
INVESTIGATION TIMELINE (~25 MINUTES) 1 Sender 2 min 2 Headers 5 min 3 Links 3 min 4 Attachments 3 min 5 Exposure 5 min 6 Classify 2 min 7 Report 5 min Preserve evidence first. Analyze in order. Report last (with findings).

Before You Start: Preservation Rules

The first instinct when receiving a suspicious email is to do something — forward it to IT, click the link in a sandbox, reply to the sender to confront them. Resist every one of these impulses until you've secured the evidence. Phishing investigations have a chain-of-custody problem: if you modify, forward, or interact with the email before documenting it, you lose forensic data that might matter later.

Do NOT:

  • Click any link in the email — not even to "see where it goes"
  • Open any attachment — not even a PDF, not even on your phone
  • Forward the email to colleagues (this spreads the threat and may trigger embedded tracking)
  • Reply to the sender (confirms your address is active and monitored)
  • Delete the email (you need it as evidence)

DO (before anything else):

  • Screenshot the email as it appears in your inbox (visual evidence of display name, subject, preview)
  • Screenshot the full email body with all links visible
  • View the full message source/raw headers (Gmail: "Show original" — Outlook: File > Properties > Internet Headers)
  • Save the raw .eml file if your client supports it (Thunderbird: File > Save As)
  • Note the exact time of receipt and everyone who received the same message
  • If on a corporate network, note the message ID from headers for log correlation later

These preservation steps take 60 seconds and will save you significant headaches if the investigation escalates to law enforcement, legal review, or a formal incident response.

Step 1: Analyze the Sender Step 1~2 min

The sender field is the first thing most people look at and the easiest thing for an attacker to fake. Every email client shows a "display name" that the sender controls entirely. The actual sending address is often hidden behind that display name unless you deliberately look at it.

Display name vs. actual address

Phishing emails routinely use display names that impersonate legitimate companies while the actual address comes from a completely different domain:

What you see vs. what's real

Display name: Bank of America Security Team

Actual address: [email protected]

The display name looks right. The address is a lookalike domain with a zero instead of an "o" and an added "-verify" suffix. In a mobile email client with limited screen space, many people never see the actual address.

Check the domain for typosquatting

Attackers register domains that look nearly identical to legitimate ones. The most common substitutions:

WHOIS the sending domain

Legitimate corporate domains are typically registered years or decades ago. Phishing domains are disposable — registered days or weeks before the campaign launches and abandoned once they're flagged.

Use our WHOIS lookup tool to check the sending domain's registration date. A domain registered within the last 30 days that claims to be from a major financial institution is almost certainly phishing. Also check the registrant: phishing domains typically use privacy-protected registration through budget registrars.

Check for SPF and DKIM records

Legitimate companies that send transactional email always publish SPF and DKIM DNS records. Use our DNS Record Locator to check the sender's domain for TXT records. If a domain claiming to be your bank has no SPF record and no DKIM key in DNS, the domain was set up hastily and is not the real thing.

Step 2: Examine the Email Headers Step 2~5 min

Email headers are the forensic backbone of any phishing investigation. They tell you where the email actually originated, which servers handled it, and whether the authentication checks passed or failed. For a full tutorial on reading headers, see our Email Header Analysis Guide. Here, we focus on what to look for during an active investigation.

Extract the headers

Paste the raw headers into our Email Header Analysis tool for an automated breakdown. The tool will parse the Received chain, authentication results, and routing information — saving you from reading raw header text line by line.

Trace the Received chain

Read the Received: headers from bottom to top — the bottom-most header is the originating server. What you're looking for:

Check authentication results

Look for the Authentication-Results header (added by the receiving server). The three key checks:

Check Pass means Fail means During investigation
SPF Sending server is authorized by the domain Server is not in the domain's allowed sender list spf=fail from a corporate sender = almost certainly spoofed
DKIM Email content hasn't been modified and signature is valid Signature missing, invalid, or email was altered dkim=fail or dkim=none from a major provider = suspicious
DMARC Both SPF and DKIM align with the From domain Authentication doesn't match the claimed sender domain dmarc=fail = the domain owner's own policy says this email isn't legitimate
Important caveat: A phishing email can pass all three checks. If the attacker registers chase-security.com and sets up proper SPF, DKIM, and DMARC for that domain, authentication will pass. It just proves the email came from chase-security.com — not that chase-security.com has any connection to Chase Bank. Authentication tells you if the email is legitimately from the domain in the From field. You still have to verify that the domain itself is legitimate.

Step 3: Analyze the Links Without Clicking Step 3~3 min

Phishing emails almost always contain at least one malicious link. The goal of this step is to extract every URL from the email and analyze them without visiting any of them.

Extract the real URLs

Never trust the visible link text. Hover over links to see the actual URL in your email client's status bar, or — better — view the message source (HTML) and search for href= to find every link destination. Common deceptions:

Common phishing URL patterns

Phishing URLs follow recognizable patterns once you know what to look for:

Check URLs on scanning services

Submit suspicious URLs (by copying, never by clicking) to these free services:

If the URL is already flagged by multiple engines on VirusTotal, you have strong confirmation of phishing. If it's clean across the board, the campaign may be new enough that scanners haven't caught it yet — absence of detection is not proof of legitimacy.

Step 4: Analyze Attachments Without Opening Step 4~3 min

If the phishing email has attachments, the goal is to assess risk without executing them. Modern phishing has moved well beyond the .exe attachment — although those still appear — and into file types that most people consider "safe."

Immediately suspicious file extensions

These file types can execute code directly on Windows and should never be opened from an unsolicited email:

The double extension trick

Windows hides known file extensions by default. An attacker names a file invoice.pdf.exe, and Windows displays it as invoice.pdf with a PDF icon. The user thinks they're opening a PDF. They're running an executable. Always check the full filename in the raw email source or by right-clicking and checking properties.

Office documents with macros

Files with .docm, .xlsm, or .pptm extensions contain macros — executable code embedded in Office documents. These are one of the most common malware delivery mechanisms. Even regular .doc and .xls files (the old binary format) can contain macros without the "m" extension hint. If an unsolicited email asks you to "Enable Editing" and then "Enable Content," it is almost certainly attempting to execute malicious macros.

HTML attachments

An increasingly common phishing vector: the email contains an .html or .htm file attachment. When opened, it renders a local phishing page in the browser — often a convincing replica of a login page for Microsoft 365, Google Workspace, or a bank. Because it's local, it may not trigger web-based security filters. The entered credentials are sent to the attacker's server via JavaScript.

Password-protected archives

A ZIP or RAR file that requires a password (provided in the email body) is suspicious by design. The password protection exists for one reason: to prevent email security gateways from scanning the contents. Legitimate businesses do not routinely send password-protected archives via unsolicited email.

Check file hashes on VirusTotal

If you can extract the attachment without opening it (most email clients allow "Save As"), compute its SHA-256 hash and look it up on VirusTotal. On Windows: certutil -hashfile filename.ext SHA256. On Mac/Linux: shasum -a 256 filename.ext. If the hash has been seen before, VirusTotal will show you detection results from 70+ antivirus engines without you ever opening the file.

Step 5: Check If Anyone Clicked Step 5~5 min

This is where the investigation shifts from analysis to damage assessment. If the phishing email reached multiple people in your organization, you need to determine whether anyone interacted with it.

Email gateway and security logs

Search your email security platform (Microsoft Defender for Office 365, Proofpoint, Mimecast, Google Workspace Security) for:

DNS and proxy logs

If you operate a corporate network with DNS logging or a web proxy:

Ask recipients directly

Contact anyone who received the email through a separate channel (phone, Slack, Teams — not by forwarding the phishing email). Ask specifically: "Did you click any link or open any attachment in the email from [sender] about [subject]?"

If clicks are confirmed

Immediately escalate. The response depends on what the phishing email was trying to do:

Step 6: Determine the Phishing Type Step 6~2 min

Classifying the attack helps you respond proportionally and report accurately. Phishing is not one thing — it's a category that includes several distinct attack types with different goals, methods, and damage potentials.

Type Goal Key indicators
Credential phishing Steal login usernames and passwords Fake login page, "verify your account" language, link to an external site mimicking a real service
BEC (Business Email Compromise) Trick an employee into a wire transfer or data disclosure Impersonates CEO/CFO/vendor, changes payment details, urgency about invoices or deals, often no malicious link at all — just social engineering
Malware delivery Install ransomware, trojans, or info-stealers Attachment-focused, unusual file types, macro-enabled documents, asks you to "Enable Content"
Spear phishing Targeted attack on a specific person Uses personal details (your name, role, current projects), references real colleagues, often more carefully crafted than bulk phishing
Multi-channel / vishing Combine email with phone or SMS Email references a phone call ("as discussed"), includes a phone number to call, or precedes a call that references the email for credibility
Source: categories adapted from MITRE ATT&CK Technique T1566 and sub-techniques
$2.9B
Adjusted losses from BEC attacks in 2023, according to the FBI's Internet Crime Complaint Center (IC3) 2023 Internet Crime Report — making BEC the single most expensive form of cybercrime, exceeding ransomware, investment fraud, and all other phishing types combined.

Step 7: Report and Respond Step 7~5 min

Reporting serves two purposes: it helps take down the phishing infrastructure, and it creates a paper trail that protects you and your organization if the attack succeeds partially.

Report to your email provider

These reports feed the provider's spam and phishing filters. When enough people report the same message, the provider can retroactively remove it from other recipients' inboxes.

Report to the impersonated organization

Most major companies have a dedicated phishing report address:

For other companies, check for an abuse@ address or look for "report phishing" on their website.

Report to anti-phishing organizations

Block and contain

QUICK DECISION TREE: IS THIS EMAIL PHISHING? Suspicious email received Sender domain match legitimate org? NO YES Typosquatted? Domain <30 days old? NO Investigate further YES Likely phishing SPF/DKIM/DMARC all pass? NO Likely spoofed/phishing YES Links go to expected domain? NO Likely phishing YES Probably safe Even emails that pass all checks can be phishing from a lookalike domain. Context and content always matter.

Red Flags Cheat Sheet

Print this, bookmark it, or pin it somewhere visible. When you're triaging a suspicious email under pressure, this is the quick-reference checklist that surfaces the most reliable indicators.

Sender Red Flags

  • Display name doesn't match the email address
  • Sending domain registered within the last 30 days
  • Free email service (Gmail, Yahoo, Outlook) impersonating a company
  • Reply-to address is different from the sender
  • Domain uses typosquatting (rn for m, 0 for o, 1 for l)

Content Red Flags

  • "Your account will be suspended in 24 hours"
  • Generic greeting: "Dear Customer" or "Dear User"
  • Grammar or spelling errors in corporate communication
  • Requests credentials, payment info, or personal data
  • "Click here to verify" / "Confirm your identity"
  • Unexpected urgency about routine matters

Technical Red Flags

  • SPF, DKIM, or DMARC failures in headers
  • Links don't match the claimed destination
  • Attachments with executable extensions
  • HTML loads remote images (tracking pixels)
  • Sending time inconsistent with claimed sender's timezone
  • Originating IP in a different country than claimed sender

Attachment Red Flags

  • Double extensions: invoice.pdf.exe
  • Macro-enabled Office documents (.docm, .xlsm)
  • Password-protected ZIP/RAR (password in the email body)
  • HTML file attachments (local phishing pages)
  • ISO/IMG disk image files
  • "Enable Content" or "Enable Editing" prompts
No single red flag is definitive. Sophisticated phishing emails may trigger only one or two. But multiple red flags in the same email, especially a sender mismatch combined with urgency language and an unexpected link, should be treated as phishing until proven otherwise.

Frequently Asked Questions

What should I do if I already clicked a phishing link?

Change your password immediately for any account you may have entered credentials on. Enable multi-factor authentication if it's not already active. Check the account for unauthorized activity: look at recent login history for unfamiliar locations, check sent items for messages you didn't write, and look for new forwarding rules (attackers add these to maintain access). Run a full malware scan on the device you clicked from. If it was a work account, contact your IT security team immediately — they need to check for lateral movement, meaning whether the attacker used the compromised account to reach other systems.

How can I tell if an email is really from my bank?

Banks will never ask you to verify credentials, account numbers, or personal information via email. They also won't threaten to close your account over email or send you a "secure link" to log in. To verify: check the sender's actual email address (not the display name) by viewing the headers. Then call the bank directly using the number printed on your physical card or found on their official website — never use contact information provided in the suspicious email. Legitimate bank emails will also pass SPF, DKIM, and DMARC authentication checks, which you can verify with our Email Header Analysis tool.

Should I open a suspicious attachment in a sandbox?

Only if you have proper sandboxing tools and the training to use them. Professional-grade options include ANY.RUN (cloud-based interactive sandbox), Joe Sandbox, and Hybrid Analysis. These services detonate files in an isolated environment and record their behavior. For most people, the safer approach is to compute the file's SHA-256 hash and look it up on VirusTotal — if anyone has submitted the same file before, you'll see detection results from 70+ antivirus engines without any risk. Never open suspicious attachments on your regular work machine, even with antivirus running — zero-day malware is, by definition, not in the signature database yet.

How do I report phishing to Google or Microsoft?

In Gmail: open the email, click the three-dot menu in the upper right, and select "Report phishing." In Outlook (desktop): select the email, click "Report message" on the Home ribbon, and choose "Phishing." In Outlook.com (web): select the email, click the three-dot menu, then "Report" → "Report phishing." Both Google and Microsoft use these reports to update their phishing filters and can retroactively remove the same message from other users' inboxes. For maximum impact, also forward the email to [email protected] and, in the US, report at reportfraud.ftc.gov.

What is BEC and why is it the most expensive type of phishing?

Business Email Compromise is a targeted phishing attack where criminals impersonate executives, vendors, or trusted business partners to trick employees into wire transfers, gift card purchases, or sensitive data disclosure. Unlike commodity phishing that casts a wide net, BEC targets specific people with authority to move money and uses social engineering rather than malware. The FBI's Internet Crime Complaint Center (IC3) reported $2.9 billion in adjusted losses from BEC in 2023 alone, making it the costliest category in their annual report. BEC is expensive because it targets high-value transactions — a single successful attack can steal hundreds of thousands of dollars in a single wire transfer — and because the attack exploits human trust rather than technical vulnerabilities, making it harder for security tools to catch.

Investigate Suspicious Emails

Paste email headers into our free analyzer to check authentication, trace sender IPs, and identify spoofing attempts.

Email Header Analyzer WHOIS Lookup

Sources and references: FBI IC3 2023 Internet Crime Report (BEC loss figures); MITRE ATT&CK Technique T1566 (Phishing) and sub-techniques; APWG Phishing Activity Trends Reports; RFC 5321 (SMTP), RFC 7208 (SPF), RFC 6376 (DKIM), RFC 7489 (DMARC). Tool recommendations (VirusTotal, urlscan.io, ANY.RUN, Google Safe Browsing) are based on industry-standard usage in incident response. This article is for informational purposes and does not constitute professional security consulting advice.

Need more lookups? View Pricing