Contents
Scrutinize the domain for extra letters or numbers. Particularly look for characters that are easily mistaken for others, such as lowercase Ls and capital Is.
Check email header information. Look in the “Received from” field and “Received-SPF” fields. If the domains displayed in these fields don’t match what you know about the supposed sender, the email is spoofed. Sometimes, the data displayed in these fields will be an IP address. Check it by going to a whois lookup on a legitimate site, such as ICANN, Domain Tools or GoDaddy and entering the IP. If the results are not what you expect—for instance, if the domain appears to be hosted in Eastern Europe—then the email should not be trusted.
If the domain appears to be correct, check that other information matches. For example, if the email seems to come from a corporate headquarters located in California, make sure any area codes in phone numbers are from the correct city. Mouse over any hyperlinks to see if they lead where you expect. Make sure the name of the business is not a subdomain: for instance, if the email seems to come from CrowdStrike, the links should not lead to crowdstrike.customersupport.com, but from customersupport.crowdstrike.com. The correct name should always appear right before the .com or other file extension and never first.
Make sure there’s an SSL (secure sockets layer) certificate. An SSL certificate is a text file that authenticates the identity of a website and encrypts information sent to the server. Most websites today have SSL certificates.
Check the SSL certificate. Make sure the domain in the certificate is the correct domain, not a spoofed domain. In Chrome or Brave, check the certificate by clicking on the padlock icon in the address bar, and then click on “Certificate (Valid)” in the pop-up. In Firefox, do the same but instead of looking for Certificate (Valid) in the popup, click on the arrow to the right of the business name and a message declaring the security of the connection status will appear. In Safari, double-click the padlock and select “Show Certificate.”
Do not click links within the message or website. Instead, search for the entity and click on the link in the search results.