For nearly 20 years, I was the guy people asked if an e-mail message they got was real. And if they were interested, I’d show them how I figured out if it was real. To do that, you have to look at the headers. Here’s how to view headers in Gmail.
Gmail doesn’t have an option called view headers–it’s called Show Original. Choosing this obscure option lets you view the headers and investigate a message.
The trick Kevin Mitnick doesn’t tell you
Kevin Mitnick tells you not to click on stuff in strange messages in your annual security awareness training. But he doesn’t tell you how to investigate a suspicious message you receive. I think he should. Yes, it means recording a video for whatever e-mail system you use, but how many of them are there? Five? IF you count Lotus Notes?
Some of my coworkers and I are sick of getting fake Kevin Mitnick phishing messages at work. We never had this problem at previous employers that used more traditional mail systems. So here’s how to view headers in Gmail so Kevin Mitnick doesn’t get you. Or me. At least if your company uses Mitnick’s company and also uses Gmail.
Open the message in question, then click on the three vertical dots in the upper right to bring up the menu. One of the options is named Show Original. It’s weird, but Outlook calls it something weird too. Maybe Google wants to be cool like Microsoft?
Your message will open in a new tab with lots of boring text in a big font. Scroll down. You’ll see a bunch of text in a small Courier, fixed-width font. Scroll down to the Received: line and you can see who sent it. There will be other lines you can use to verify authenticity as well.
Investigating suspicious messages
I understand what the people who send fake phishing messages are trying to do, but I don’t necessarily agree with their methods. Back when I was involved in security awareness programs, I found education was more effective than entrapment followed by shaming. Give people the tools they need, and they usually use them.
The best way to investigate suspicious messages is look at the mail domains in the headers. If you see mismatched domains, especially a third domain separate from the sending and receiving domain, be suspicious. For example, if I work at ford.com and you work at gm.com and I e-mail you, you should see those two domains in the headers at the beginning and the end, and maybe something like mimecast.com in the middle, if your company uses Mimecast. You shouldn’t expect to see Hotmail or Yahoo at the beginning or end, and you certainly shouldn’t expect to see a throwaway domain made up of random characters. You also shouldn’t see a slight misspelling like f0rd.com, with a zero in place of the oh.
Check the return paths and receiveds
Concentrate on the lines in it that start with phrases like Received: and Return-Path:. For a legitimate message, I would expect to see an e-mail address matching the sender in a line beginning with Return-Path:, and I would expect the last line beginning with Received: to contain the address of a server at the same domain as the person who sent it. If I don’t, that’s a red flag. That’s a sign someone’s spoofing.
You will probably see Received: addresses in between the originating one and yours. This is common, and not a cause for alarm.
You can take a look at the other lines in the header as well. Deep-diving into what all of them mean would probably require something book-length, but it’s certainly possible to find other clues in there too. You won’t be able to read all of it. Concentrate on the parts you can.
It helps to look at legitimate messages to get an idea what correct looks like. Then, when you have a sense of normal, it gets easier to spot tomfoolery in the headers.
If all this checks out, and the message is asking you to do something that seems off, ask questions. I’ve come to mistrust e-mail enough that I have a lot of side-channel conversations, whether that’s over Slack, text message, Zoom, or even an old-fashioned phone call.
There’s a formula that legitimate mail tends to follow, and that’s why products like Mimecast exist. It’s easier for a computer to spot abnormalities and filter out as many of them as it can for you. Those products aren’t perfect but they do filter a ton of fake messages.
How to identify KnowBe4 messages from headers in Gmail
If you don’t want Kevin Mitnick to catch you, look for the word KNOWBE4 in the header. If you see knowbe4.com in the headers like the screen capture above, it’s one of those fake phishing e-mails.
Report it or throw it away. And maybe tell your coworkers. Being the first to spot the phake phish can be a fun game.