Inside the Header: How to Spot a Spoofed Email and Protect Your Inbox

Email spoofing is one of the most effective tactics cybercriminals use today. It’s the process of forging the sender’s address so the email appears to come from someone you know and trust—like your bank, a key vendor, or even your CEO.

Spoofed emails are the entry point for most sophisticated attacks, including financial fraud, wire transfer scams, and ransomware. Since spam filters can sometimes miss a well-crafted spoof, your employees must become the last line of defense. Here is your complete guide to identifying a forged email.

🛑 The Critical Red Flag: Checking the Sender’s Real Address

The most important step in identifying a spoofed email is to look beyond the displayed name and examine the full, technical email address and the reply-to address.

1. Don’t Trust the Display Name

Your email client (Outlook, Gmail, etc.) prioritizes the “Display Name” field (e.g., “Sarah Johnson” or “Microsoft Support“). This field is easily editable and can say anything the sender wants.

2. Check the Full Email Address

The true source is the address inside the < > brackets.

• Legitimate Example: Microsoft Support <support@microsoft.com>

• Spoofed Example 1 (Homograph Attack): Microsoft Support <support@mircosoft.com> (Note the missing ‘s’—a subtle difference.)

• Spoofed Example 2 (Wrong Domain): Sarah Johnson <sjohnson.ceo@gmail.com> (The CEO wouldn’t use a personal Gmail address for a company request.)

Action Tip: In most email programs, clicking the sender’s name or hovering over it will expand the full email address. Always do this for unexpected or suspicious emails.

3. Analyze the Reply-To Field

Sometimes a scammer will spoof the “From” address perfectly but send it to a different address for replies. In the email properties or header, check the Reply-To field. If the “From” address says accounting@yourcompany.com but the “Reply-To” says scam.payment@outlook.com, the email is fraudulent.

🔎 Technical Clues in the Email Content

Once you’ve verified the address, a few more clues can confirm a spoofing attempt:

4. Links and Attachments

• Hover Before You Click: Before clicking any link, hover your mouse cursor over it (or long-press on mobile) to see the destination URL displayed at the bottom of the screen. If the displayed link says “microsoft.com” but the destination URL points to an IP address or a non-Microsoft domain, it’s a scam.

• Unexpected Attachments: Never open an attachment you weren’t expecting, especially if it has a generic name like “Invoice.zip” or “Payment_Details.pdf.” These often contain malware or ransomware.

5. Sense of Urgency or Threat

Spoofers use social engineering to bypass your logic. They create panic to make you act without thinking. Be wary of language that suggests:

• Immediate Loss: “Your account will be suspended in 24 hours!”

• Confidential Request: “This is a secret project—send me the wire transfer details immediately.”

• Unusual Requests: A supposed manager or executive demanding immediate gift card purchases or a swift wire transfer to a new, unfamiliar account.

6. Poor Grammar and Formatting

While highly professional spoofing exists, many attempts still contain noticeable errors in spelling, grammar, or company branding/logos. Legitimate institutions rigorously proofread all communications.

🛡️ Your Complete Protection Plan

Stopping spoofing requires a layered defense strategy for your business:

When in doubt about a strange email, do not reply. Instead, contact the supposed sender through a secondary, trusted channel—call them on their known phone number or start a new email thread entirely.