How to Spot Any Spoofed & Fake Email Ultimate Guide

Show video

If you've ever received an email that claims to be from some company but it seems suspicious, this video is for you. There are plenty of ways for scammers to spoof email addresses, but here I'll show you how to tell if one is legit, using email authentication methods most of the big websites use at least, which are the ones most targeted by scammers. I'll mostly be using Gmail for the examples here because it has the most transparent information to see, but if you use other programs I'll show you some work arounds for those too. So yes, this is about to be a 20+ minute video just about how to tell if an email is fake, and we are going down the rabbit hole so buckle up.

There's more to it than you think. And remember you can always just throw the video on a faster speed if you want. Let me be clear though, this video is specifically and ONLY going to focus on how to tell if an email is really from the website it says it's from, NOT whether the email itself is safe or a scam. It's of course a critical part of identifying scams, but if a hacker uses their own domain to send out scams, obviously the tests will show the sending domain as genuine, but the sender is still a scammer! For example, at one part later in the video I'm going to show how to view some email checks Gmail has for verifying the sender, but if you look at them and say "oh, wow they all passed.

I guess this email from Hacker@StealYourMoney.scam must be completely safe because the Google said so..." well you completeley missed the very limited purpose of them. I'll try and keep the technical jargon to a minimum and just show you exactly what to look for, but I WILL need to explain what some of these things mean, because it's important to know WHY you're looking at these clues. Unfortunately scammers are smart, so everything I mention will take a bit of critical thinking along with it.

So just try to bear with me. And Also make sure you pay attention to ALL the steps, don't stop half way through, because then you'll think you're safe, but each next step will reveal scam techniques that were NOT caught in the previous. So step 1 is going to be a bunch of different ways to check if the 'from' domain in an email is even correct.

First with some obvious examples, then with some that are extremely clever. Let's say there's en email with a subject line and content that suggests it's from some company. No matter how legit it looks, the first thing to check is the 'from' address. Now I know this we're starting out with the really obvious stuff, but remember these CAN be spoofed, however if it's NOT spoofed, it is indeed the most obvious sign of a fake email. As an example from my spam box, this email says Fidelity Investments, but when you look, it's actually a Gmail address someone made with fidelity in the name. This is why you check this first, because now this case is so obviously a scam that no further investigation is needed.

So always make sure the 'from' address domain is EXACTLY what you would expect. Many scam emails don't even try to spoof domains, because unless done right, it's more likely to be caught in a spam filter. Also keep in mind when I say 'spoof', I mean they manipulate the email address so it actually shows a legit domain even though it wasn't sent from there, which is different than what we're seeing here, which is where they use a similar looking one, but we'll cover that later. Technically this could also be called spoofing but for the purpose of this video just know that distinction I'm going to make. In general, here are some things to look for. They might use a free email service like Gmail, Hotmail, Outlook, or other obscurer services you don't recognize as free email services.

What you do need to really watch out for though, are domains they bought that are chosen to look similar to the real domain. For example, if they are trying to impersonate Paypal.com, they might register the domain "Paypal-Mail-Server.com", which some people might just assume is real. This is why I said make sure the domain is EXACTLY what you expect, and not some other similar domain. Also be careful if they use subdomains. Maybe it says "Paypal.example.com", or "Paypal.com.[a bunch of random stuff].example.com".

Where example.com is the actual domain, not the stuff before it. Nothing before the final part means anything, so always look at the root domain only. Oh and also be sure to check they didn't use letters with umlauts above them or something, or for like microsoft.com, they could use R-N-icrosoft which looks like an m but isn't, stuff like that.

Check it letter by letter. There is another technique scammers may use, though is admittedly rare but still possible, which is using foreign characters in the domain. And you might not realize that domains can actually have all sorts of unicode characters in them, including foreign characters that look EXACTLY like standard latin versions. In 2017, one researcher registered what looked like apple.com, but it was not at all.

It actually had a cyrillic 'A', which was identical looking, but actually resulted in a fake apple.com that was indistinguishable. Because of this trick, web browsers now show the decoded version in the URL bar, which looks like this. That's great for web browsers, but email software might not decode it.

And in fact, I tested a bunch of them myself, and was not happy with the results. So to do the test, first in Gmail I basically created an alias that I could send from, which included a cyrillic A, the same one from that fake apple domain in fact. I then sent myself an email from that address and looked at it using Gmail on Desktop, Windows Mail, Outlook, the iOS default Mail app, and the Gmail app on Android.

With Gmail, it did not display any kind of warning upon looking at the email, nor did it highlight or change the character. However, when I copy and pasted the address into the 'to' field, it did give me a warning which is good, but it doesn't say which letter or anything. But really in my opinion, it should really warn you as soon as you have the email open. The default Windows 10 mail app offered no help, it didn't warn me or anything.

In Microsoft 365 Outlook, it does actually show a message that tells you the email has been sent by an "international address and contains characters from multiple languages." But it's not very obvious and I still think it should highlight which characters it's talking about somehow. As for the iOS Mail app and Android's Gmail app, neither of those warned me or highlighted them in any way.

So if you're really suspicious about an email, but the domain looks totally correct, you can use tools that are out there that will identify individual text characters. You can google 'Unicode Inspector' for this site as a good one, and if we try that example with the fake apple.com domain, you just copy and paste it in. Then it says they're all latin letters, except the A says it's cyrillic, so obviously a red flag. You can also google for 'ASCII validator', which will tell you if there are any non-ascii characters.

The standard ASCII character set only contains 128 characters, all just normal upper and lower case letters and some punctuation, no weird look-alikes, so if there's anything besides those basic characters, an ascii validator should spot it. But be sure the site is NOT including Extended ASCII, which does have some letters with umlauts, but at least those are still visibly different, only just slightly. So basically to sum up Step 1, yes, we are still on step 1, you want to be 100% sure, letter by letter, that the domain is exactly correct and the official one. AGAIN, this DOES NOT guarantee the email is automatically safe, because it could theoretically be spoofed. The point is simply that if the domain IS wrong, we automatically know it's a scam right away, but otherwise we have more to check. Alright now onto step 2, where we'll take a look at several separate scam techniques, so be sure to pay attention.

The first thing we need to look at is the 'reply-to' field. In gmail you can see this by clicking this little dropdown arrow near the sender's name, and it will bring up this box, where we'll also look at the other stuff here in a minute. The reply-to field is extremely important to know about. This field tells your email program to send replies for this email to a different email than the email address that sent it. Of course it does have legitimate uses, but many times, if a scammer is spoofing a domain, they HAVE to use a different reply-to address, because they don't actually have the fake email they said they sent from.

Here's an example. And just pretend this one doesn't have a big warning and wasn't caught by the spam filter. At first glance, it looks like the email was sent by loan.uk.

But if you look at the 'reply-to', it says some gmail account. The scammer doesn't have the info@loan.uk email, so they have to use a different email to receive victims replies at.

Also watch out, because the reply email might be made to look similar. In this other email, the reply-to address is totally different than the 'from' address, but they called used the same name in it as the sender name to make it seem less suspicious. Also sometimes they won't even change the reply-to address, but instead in the body of the email itself just include text that says "send a reply at whatever email". Or of course a lot of phishing emails don't try to get you to reply, but rather click on a fake login link, or download a virus, stuff like that.

So if it doesn't say reply-to some other email address, it doesn't necessarily mean it's safe. In any case, if it looks like the email came from an official company, but the reply-to is some free email service, it's a dead giveaway it's a scam. And again later I'll show you some clues for how to tell if it's a spoofed domain like I believe this one was.

Another thing I noticed is sometimes it won't say 'reply to', but just says 'to'. Normally that would be your email address, but if it's some random other email, it might have been forwarded with a list. Like in this one it says "recipients", but it could say anything, and that could also be suspicious, just be aware that might be why. Now if you're using another email program and wondering how to see the 'reply to' address, I have some bad news for you. I tested most of the major ones: Windows Mail, Outlook, iOS default Mail app, and Android default Gmail app.

Literally the only other one that makes it easy to see the reply-to address is the Gmail app for both Android and iOS, where there's a similar dropdown. In all the others, you only see the reply-to email is AFTER you click the reply button, which is really just unacceptable in my opinion. In Outlook at least there is a workaround, if you double click a message to open it in a window, then go to File > Properties, it will show a space that says "have replies sent to", which is the reply-to address. And also below it lets you see the headers which we'll look at later.

Now let's do step 2.5 you could say. We're still going to look at this info box in Gmail, and specifically the fields that say 'mailed by' and 'signed by'. These won't always be there, but they can sometimes reveal certain attempts to spoof emails. I'll explain how these are actually determined later though. You can see in this example, it's supposedly from Frank someone, and the email address is support @ some trading website.

But below, it says 'signed by' some russian website. Also above, it says it was sent 'via' the same russian site. If gmail shows 'via', it means the domain sending the email doesn't match the From address. There are legitimate purposes for this -- many websites use mailer services to send out newsletters and stuff on their behalf, but you should still be aware of what this means. And remember, this is in gmail, but not everything else might show this info.

That being said, this is really important to understand. That 'via' thing might not always show up in gmail, even if the domain and email is being spoofed, ok? It only sometimes shows up. You'll learn why later in the video but this is again one of those things where if it shows up, it makes it a lot easier, but if not, it's NOT a guarantee that it's safe and is real. For example here's one where this is obviously a spoofed email, but it does not show 'via', so just know that. Now again, there are two that might be here, both signed-by and mailed-by.

For now just know they sort of serve the same purpose, just in a different way. Just know that basically every major tech company like Google, Facebook, Microsoft, Apple, all them should have both of these, and of course they should say that they are mailed by and signed by an official website of theirs. Also any other major company worth their salt for security should have at least one of these, and again it should match. If an email has neither, it doesn't automatically mean the email is a scam, BUT, if it comes from a really well known website that should know better, yes that is highly suspicious. So in that case, check previous emails they sent you that you know are legitimate and see what those showed. If it is indeed signed and mailed by a domain actually owned by the company, there's a good chance the email is legit, but there is one more place we can check to be more sure.

So onto step 3, we can look at the email headers. Don't let that scare you though, it's way easier than it sounds. You see there are 3 major email authentication technologies out there, which are SPF, DKIM, and DMARC. You don't have to know what these stand for, but they basically provide a way for people receiving emails to check with a website to see if they really sent a specific email. If a website has it properly set up, which again, all major tech comapanies do for all 3, it makes it easy for your email client to detect and block fake emails.

Unfortunately, not all websites use these, and even if they do, some don't 'enforce' their policies, it's called, meaning the email could still get through even if they fail the checks, but that doesn't mean you can't still check and see what the results are yourself. So back in Gmail, they make it really easy. All you do is open an email, go to the three dots, then click 'Show Original'. And here you can see the three results for the authentication tests I mentioned before: SPF, DKIM and DMARC. They might not all three be there, but that's up to the website owner. So let me give you a quick rundown of these and then I'll explain these in more detail after.

So as I've said, if it's a major website, especially for a major technology company, it should almost definitely have all three of these, and they should all say pass. DMARC is the most significant and most powerful, because it looks at both the SPF & DKIM records, and has it's own tests too. So if you check these, and they say pass, AND you're sure the domain is actually the real one, not one made to look like it, it's probably a legit email.

For other websites that are big but maybe not a mega corporation, they might not have all three, but hopefully SPF & DKIM, and they both pass, as opposed to fail. There are other possible things it might say, like 'Neutral' or 'Softfail' which I'll explain later. But if the email shows that ANY fail, I would be highly suspicious. It either means their mail server was misconfigured (which is unlikely for a massive company), or it's a fake email.

If you're using another email program, you'll have to look up how to view the 'email headers' in your specific program, then you can do Ctrl+F to search for the terms 'SPF', DKIM, and DMARC, and if they're in there, they'll show the same results as would in Gmail. Not every email program even lets you see the headers, but I showed you before how to in Outlook, you open it in in a window, then file, properties and then it's down there. You can copy and paste the whole thing, or just do control+F. I want to be VERY clear here though.

These three checks are NOT "is this a scam" tests. Their ONLY purpose is to check whether the email originated from the domain it says, or at least was authorized by the domain. If a scammer registers their own domain, and sends scam emails from that domain, they can configure all those checks and it will show pass for all of them, but that just tells you "yes this was indeed sent by this scam domain".

So this is why I put so much emphasis on checking that there was nothing funny going on with the domain name in Step 1, because nothing else we do matters otherwise. And I'll say yet again, if the email seems suspicious enough, no matter what, just be safe and assume it's a scam because you never know, maybe that person at that company got their email hacked and is being used to send out legit emails that are still scams. In fact, I found one very interesting scam email where exactly that happened.

So check this email out. It was in my spam box, but it actually claimed to be from a .gov email, which is unusual. I did immediately know it was a scam because just by what it said in the body which was "oh you win 600,000 dollars", and I looked at the reply-to address and it was some hotmail address, so yea pretty obvious.

But I also looked and saw it said both signed-by and mailed-by erie.gov, and in the headers, all three checks passed. And yes I also checked for any weird characters, and nope they are all legit. So you might be wondering, how this could have possibly happened? Well I looked up the person's name and apparently they're the sheriff of this town called Erie, and that's their site. So I have to assume the simplest explanation, which is the guy got his account phished or stolen somehow, and someone used it to send out scam emails.

And if the scammer hadn't made it so freakin obviously a scam, they probably could have gotten a lot of people. Just goes to show that no matter what you see, some critical thinking is your last defense. Ok so now let me get into more detail about some stuff you might see when checking these fields. I'm going to keep it simple for now, and afterwards for those of you who want to actually know how these checks specifically work can stick around.

First, SPF. This helps verify that the server sending the email with a particular domain address is authorized to do so. However, it's the easiest to spoof to pass of the three, so a pass doesn't necessarily mean much, but a fail is definitely bad and not to be trusted, that means it is in no way allowed to send that email. If you're wondering, "Wait, how are the security tests spoofed", well I'll talk about that later. If it's neutral, it's basically the same as it not being enabled at all, which is just bad policy and also pretty suspicious. A softfail is the same as a fail and is highly suspicious, and means the domain owner said 'even if this check fails, accept the emails anyway'.

It doesn't 100% mean it's fraudulent, and could easily just be because the mail server is misconfigured, especially if they're using a third party mailer service, but still don't trust it too much. The only exception might be if there is also BOTH passing DKIM and DMARC records despite being a softfail. Next, DKIM. This tells you that the email has not been altered in transit, and was written by who it says it was. But again you still want to see DMARC with it, because yes it could be a passing DKIM record, but that record could be for a site that is not even matching the From domain.

So it's not a 100% guarantee, though I will say in my experience, it seems that DKIM spoofing is quite a bit rarer than SPF. But, you might see a lot that says fail and they attempted to do it. But if you really want beyond a shadow of a doubt, DMARC is what you have to look for. A pass technically should mean the email was not altered, and also will tell you who signed the message with an encrypted key. In gmail, it actually says "with domain" and then the website.

If you're using Gmail here is where you really do have an advantage because it allows you to easily see the true signer of an email. And with this information shown, you can sort of do a DMARC-like test yourself, by looking and seeing if the domain here is the same as the one in the From sender. That's called 'alignment', that's also what DMARC checks for, for both SPF and DKIM. However this is really important. If it fails, then don't even bother checking if it matches, because that's faked anyway if it fails. Only bother checking for a match if it passes, because if it passes that means there was a legit signature somewhere, and you just want to make sure that legit signature comes from the actual sender domain.

In other words, if it passes, then yes you can see the true signer of the email. But if it fails, that means they SAID they were signing for that domain, but they failed, which means you can only know that that is NOT the domain it came from. And if you're not using Gmail and using a service that doesn't show you all this information.

Then really you just have to rely on whether there's a DMARC record, and if there's not, then you don't necessarily want to trust it if it's suspicious. Now if it passes, but the domain is not the same as the From address, and not an official site by the company, it means they sent a valid certificate, but it has nothing to do with the site it says as being from. And by the way, if the signing domain is not the same as the From domain, whether fully legitimate and authorized or not, that's actually when you see the 'via' thing show up in Gmail. But again that only happens if it's a valid, passing signature.

Like in this example, the domain is obviously spoofed. But, because it failed the checks, Google doesn't know where it came from, so it can't tell you, and it does not say 'via'. So do NOT assume that it isn't spoofed just because 'via' isn't there.

You always want to make sure that there is an actual valid AND matching DKIM or SPF record. Next if you see fail, obviously don't trust it, because it means either the email was altered in transit somehow, or could be faked, and at best a bad configuration. 'None' means the sender didn't sign it, which basically means nothing. 'Policy' means it was signed, but not configured in a way that is acceptable, so basically useless.

'Neutral' means it's either not signed or had a syntax error. So really the only one you can trust is a pass. so basically from my understanding, even if there is not a DMARC record, IF DKIM passes, and the signing domain is an official one for the correct website, that should be fine, because that's the big thing DMARC checks for, called alignment, which we can see here ourselves. Also be aware that a lot of big companies have free email services that scammers can use to send out scam emails.

For example, Microsoft, they have one through Office 365. And I believe that sends out one via "onmicrosoft.com". So if you see one that says "onmicrosoft.com", just know that's not really from Microsoft,

someone could have set that up and sent out emails via that, and someone might say "oh well it's sent via Microsoft, it must be trustworthy", but NO. Anyone could have really done that, so don't necessarily trust it if it's not matching the domain that was sent. Speaking of DMARC, I kind of already just said what it does. It looks at the SPF and DKIM records, and makes sure they were actually testing for the domain that is shown to the user in the 'from' field, and not some other random domain. Because obviously it would be useless if a scam email claiming to be from Paypal.com goes out, but includes SPF and DKIM records for 'scam.example.com', those two might pass,

but have nothing to do with paypal.com. That's why DMARC is so critical. Oh and by the way, those 'mailed-by' and 'signed-by' fields in the other gmail window basically correspond to the SPF and DKIM records as passing. If DMARC passes, it means you can be pretty darn confident the email is at least not spoofed or faked, but again make sure you check the 'from' address for any look alikes.

But if it has DMARC and fails, I would be highly suspicious. It could be a bad configuration of the email server, or it could be a more sophisticated attack, like this one I actually found that claimed to be from the IMF, International Monetary Fund, but obviously wasn't. With this one you can see that the headers show the SPF actually passes, but the DMARC fails. And on the email page, you can see it says mailed-by and this "bouncev02" dot "inter-net" whatever this is.

And here, "mailed-by" corresponds with the SPF record. But this is not IMF.org, this is some random website. That's why it says 'via' there.

Therefore, obviously this SPF pass is actually a pass of the "inter.net" domain, not the IMF. So they actually spoofed the headers to tell email clients to check SPF for a domain that is not even the IMF. Luckily with this though, IMF does have DMARC, so we can see that it obviously is fake.

But even if it didn't, now you can go look and see if the 'mailed-by' or 'via' thing is there. And if it's another domain, especially if it's looking suspicious, could definitely be a scam. So by now you should have a much better understanding of what you can look for if you come across an email that you suspect could be fake, but might not be very obvious on the surface. At this point you you'd only have to worry about a situation where the company's servers or someone's email was hacked to send it out, which is obviously a possibility, but less likely. And now I'll go a bit more into detail about how exactly the different authentication records work.

With SPF, that stands for "Sender Policy Framework". It is MEANT to specifically just check that the 'return path' in the header, aka the original sending server, is allowed to do so. You see, whenever an email is sent by anyone, it includes a bunch of info as you'd expect, like the email address and domain it's supposedly from.

But anyone can just code their email to say 'uh yea I'm this person', so how can you tell? Well what a website can do, is create an SPF record in their public DNS records. These are visible to anyone who wants to look them up, and they also tell web browsers stuff like where their web server is. The SPF record basically say "only servers with these specific IP addresses are authorized to send emails with my domain name on them." So if you get an email from an email claiming to be from paypal.com, you, or your email program, can look at the DNS records Paypal.com publishes and see if the server this email

came from is on that authorized list. If it matches, it's a pass, and if it fails, the website can either call it a 'fail' which tells you to reject any emails that do not match, or a softfail, where the website tells you "eh even if this doesn't match just accept it anyway". Which is often used during testing, but kind of useless to keep on permanently. Next is DKIM, which stands for "DomainKeys Identified Mail". This time in the website's DNS record, there is a DKIM record containing a public encryption key that everyone can see, while the official sending server keeps the private key that no one else can see.

These encryption keys are created in a very special way, such that the private key encrypts data that can only then be decrypted by the public key, and also the other way around, where the public key encrypts data that can then only be decrypted by the private key. This is called public key encryption, and specifically "assymetric encryption". So what happens is the sending server takes the contents of the message before it sends it out, then 'hashes' the contents of the message, generates a unique string. Now very quickly, hashing just uses an algorithm that generates a unique string from some data, and ONLY that exact data will generate that string called a hash, and also, the same algorithm will always generate the same hash for that same data. It's just an easy way to tell if a file or some data matches the original, without even having the original.

Now, the reason you have to encrypt the hash, is because a scammer could just hash some scam message and send it along. But, if the authorized server encrypts the hash with the official private key, then you as the recipient get the message and generate a hash of the message's contents. You then take the encrypted hash that was sent along with the email, and decrypt it using the public key published on the official site.

If the hash you generated matches the one you decrypt that was sent along, you can now be certain of two things. First, that the message was not changed, and also the website who's public key you used to decrypt it MUST be the true sender. Because the way the keys work, you know that anything you can decrypt with your public key, MUST have been encrypted with the private key, that you know only the real website has. So it kind of does the job of SPF as well. Finally, how DMARC works, and it's easier than DKIM trust me. DMARC stands for "Domain-based Message Authentication, Reporting, & Conformance".

I sort of already touched on this before. But this is necessary because the major weakness of both SPF and DKIM are, from my understanding, that someone could basically send along an SPF and DKIM record that has nothing to do with the email the human recipient sees as the 'from address'. So people realized "wait a minute, we need to make sure SPF and DKIM are actually authenticating the address the user sees, which is basically the whole point". So if a website enables DMARC, which again is listed in the DNS records, it checks this, and also lets the website owner say what should be done about emails that fail DMARC.

The main policy options are to do nothing, quarantine or send to spam, or reject completely. There's also options for whether this applies to subdomains or not. At this point you might be thinking, if we have all these layers of security out there, why do we need to go through and check so much stuff ourselves? Shouldn't all the spam get caught? Well no. Not at all. According the site spf-all.com which is tracking SPF statistics, of the 140 million domains they checked, 80% of those domains had no SPF record at all.

And SPF record is usually considered the most basic bare minimum security. Now not every domain necessarily is used for email, and the biggest sites definitely use it, but still. But here's more. Of the 20% that do have SPF, only 32% use the strict method saying to outright reject failed matches. Another 33% use a policy that literally does nothing and is the equivalent of not checking at all, and a further 33% use one that's 'softfail' which may or may not cause a rejection depending on their DMARC settings, if they even have that.

Oh and the last 1% have a record that explicitly says "yea anyone can send emails on our behalf and you should accept all of them no matter what", which are all either terrible mistakes, or their goals are beyond my understanding, because that is literally giving anyone permission to impersonate your domain. Also, according to Data by a company called Farsight, only about 2.7 Million domains use DMARC.

That is a lot in absolute terms, but not compared to how many domains are out there. If the other statistics are right, then there are 26 million domains that have SPF records, so are presumably sending out emails, but only about 10% of those use the authentication record that's the best. Ohyea , and of those that do have DMARC, more than half don't even have an enforcement policy which makes it almost pointless. So that should answer the question of "why bother checking yourself". While many websites have these records, there are plenty that don't, and even many that do don't have enforcement policies to tell your mailbox software to block failures.

So then it's just up to your email software's spam filtering capability. I guess the one good thing is that scammers are probably most likely to try and impersonate the biggest sites, which are also the most likely to have the most thorough security records in place. But by now you should hopefully never fall for a spoof email again.

Of course, even if the domain address turns out to be legit, you better make sure you still know and trust the domain in the first place. That's all up to you though. So I hope you guys enjoyed the video. If you guys want to keep watching, the next video I'd recommend is talking about some of the newest scams this year, and that will probably be around for a while. So just click on that right there. And also if you want to subscribe, I make a couple new videos a week so it should be worth it.

So thanks for watching guys, I'll see you in the next one.

2021-06-13

Show video