If you receive a suspected phishing email, the first thing to do is to verify if it’s a legitimate email from a legitimate sender or not. Most phishing emails will pose as an Internet Service Provider, Email Host, Webhosting Provider, or Domain Registrar. They may invite you to click a link or open a file in order to verify an account, or be threatened with suspension.
Why is it my job to report it?
Your email is your private digital space. It’s not for any provider to snoop in. For an email hosting provider to be able to automatically spot and report phishing emails, first they would have to have full access to the content of your mailbox. This would differ from the process used by providers to run incoming email against known spam and virus filters, and would require individual emails to be seen by prying eyes. Second, many mail administrators will send test emails with goofy messages and links to their own private inboxes. Imagine if the internet blacklisted your domain name by accident because your own mail host reported you! Although you don’t have an obligation to report phishing emails–by doing so you are making the web a safer place.
Step 1: Be Vigilant
Be smart before clicking. In most cases (but not all!), opening the actual email message in webmail or an email client will not infect a computer. I say most cases because there have been (and still do exist in the wild) malware that have affected numerous webmail interfaces and clients with specially formatted emails and/or attachments. Anyway, it’s pretty obvious that you and your clients/employees/family/friends will open emails, so it’s important to always update your operating system and all software. Security is inherited in layers, so most security professionals would also advise you to install anti-virus and anit-malware software.
Step 2: Check the Email for Authenticity
If your email is being hosted by IONOS, you will want to use their Email Validation Service.
First, download the suspected email (NOT the attachments) as an EML or MSG file. In Outlook and Thunderbird: Right click > Save As. In IONOS webmail: Select the email > click on actions icon in top right corner (three horizontal lines) > Save as file.
Next, submit the email using their Email Validation form:
https://postmaster-contact.ionos.com/us/help/email/validate
If the email was not sent from IONOS, it will let you know, as well as give the option to report the domain to IONOS. This will flag any associated account if it’s being hosted by IONOS.
If your email is not being hosted by IONOS (i.e. your own server or another host) then you can analyze the email headers using MX Toolbox’s email header tool:
https://mxtoolbox.com/EmailHeaders.aspx
If DMARC, SPF, or DKIM are unaligned or unauthenticated it’s likely that it is phishing–a fraudulent email.
Step 3: Find the Real Sender
If you have determined the email to be a highly likely incident of phishing, you can use WhatIsMyIP’s Email Header Analyzer:
https://www.whatismyip.com/email-header-analyzer/
This will provide you the IP address of the computer or server that sent the actual email. Take this IP address over to a WhoIs search:
This will show you the network name “NetName”, Organization’s name “OrgName”, and country. If the email claims to be from Microsoft and the sending IP is DigitalOcean, or a country outside of the US (or anything other than Microsoft really), then it’s a phishing email.
Step 4: Report the Sender
If it is a reputable ISP, they will offer an abuse contact email, usually referred to as something like “OrgAbuseEmail”. This will be spotted along with the other WhoIs information found in the last step. You may email the abuse contact address with the full email or headers.
You can also forward the phishing email to reportphishing@antiphishing.org and spam@uce.gov, two governmental-backed organizations tasked with providing a safer internet.
Reporting the URL of any links included in the phishing email to Google’s Safebrowsing database: https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
This will report to a list used by some many anti-virus and anti-malware applications and Chrome.
Find if the IP is already listed as an abusive IP. Lookup the hostname of the IP:
https://whatismyipaddress.com/ip-hostname
If there’s no hostname, you can use the-ip-address.in-addr.arpa
Lookup the domain/hostname on abuse.net: https://www.abuse.net/lookup.phtml
If it’s not, list it: https://www.abuse.net/addnew.phtml
Abuse IP DB is used by mail servers for providing blocklists. You can report with them as well: https://www.abuseipdb.com/
Report the email to Spam.org: https://www.spam.org/report