Close
Find out how to identify a spoofed message.
Check the email header
Unfortunately it is very easy to manually change the ‘To’ and ‘From’ fields to give fake information, so it can be easy to catch people out. You should always be aware of this when reading your email, even emails that have come from a trusted sender.
For example, the message below looks like it has come from UCL IT Services desk.
But look closely at the address next to the display name 'IT Services'.
- The From email address does not match the display name.
- Even though 'UCL' is in the From email address, it is not the legitimate IT Services UCL email address.
- You should also hover over the 'click here' link. Does it go to a UCL address (https:///www.ucl.ac.uk/....) or elsewhere?
Check the Return-Path
Another option is to check where the Return-Path goes. The Return-Path identifies where the message originated.
Note: it is possible to forge the Return-Path, but it is not done as often.
How to check the Return-Path
- Open the message in a new window by double-clicking on it.
- In the new window, click on File and then Properties.
- In the Internet headers section of the Properties window, scroll down until you see Return-Path. Look at the address. Is it legitimate?
If you're not sure, do not reply to the message. It is best to contact the supposed sender by phone, Teams or using a new outgoing email message using their real email address to check if the message really came from them.
What to do if you have clicked on a link in a suspicious email
If you have responded to a spoofed email and would like advice please contact the Information Security Group.