What Can You Do to Investigate a Suspicious Email Explained

Approved By Anuraag Singh

Published On September 11th, 2024

Reading Time 7 Minutes Reading

Category Forensics

Emails retain their position at the top, given that most of the official workplace communication still happens there. However, some emails that arrive in your inbox may be sent with a nefarious intent. This begs into question what do you do to investigate a suspicious email? Do reverse lookup email address, and read the content, options are many.

The simplest solution would be to ignore the message and put it in the junk/ trash from where it will get removed after the set time limit. But that’s only when you are certain that the mail is suspicious.

Regardless of your experience, spam, scam, or unsolicited mail detection is not easy. Especially for someone who is not well-versed in tech. However, it can be made more simple with the right guidance and a decent set of tools.

So using this tutorial we will walk you through the entire process of investigating suspicious mail.

Why Suspicious Email Investigation is Important?

Scanning the mailbox for scams and spam helps to prevent online fraud, identity theft, and hacking.

It helps investigators understand what strategy the nefarious entities employ. Moreover, a series of suspicious emails received in bulk could be a part of a much larger conspiracy, like a state-sponsored cyber attack requiring advanced phishing email forensics techniques.

Now it’s time that we make you aware of what causes an email to fall under suspicion.

What are the Key Components of a Suspicious Email?

Suspicious email aims to force users to think with an emotional state of mind rather than logically responding to the message. As a result, these sorts of messages contain social engineering tactics which can be in the form of:

Urgent requests or threats: Messages that have Bolded text, use ALL CAPS, or include symbols like ( ! ), along with a deadline are suspicious enough to trigger an investigation.

Grammatical errors or typos: Scammers may not know English as their first language or belong to a nation that uses the alternative spelling of common words (colour in UK compared to color in US).

Suspicious links or attachments: A common factor in many online email-based crimes is the theft of personal info. This is done by hiding links inside the email message.

Unusual email addresses or domains: These sorts of mistakes are a strong indication that an email message is not genuine. Note that typos can be present in email metadata which are a deliberate attempt to impersonate an official email (amaz0n instead of amazon).

Requests for personal information: Asking for phone numbers, social media accounts, and other private data or mail is also highly suspicious behavior.

We have made a list of a few points to verify whether or not your gut instinct about suspicious mail is correct or not. This will also help you train against any malicious email you encounter during work or otherwise.

Next up we cover the series of steps you need to take if you want to rule out an incoming email from your suspicion list. Starting off with the main actor the sender.

How does Sender ID Verification help to Investigate a Suspicious Email?

Even an email from a person in your pre-verified sender list can’t be 100% out of suspicion. This is because there is a very real possibility that a hijacked email is being used to fool the recipients.

Moreover, if a hacker has broken into the sender’s email account they most likely have the ability to respond on their behalf. Also when you respond to a fake mail the nefarious entities mark you as active and focus their efforts on filling your inbox with useless clutter. That is why we can’t we can use direct email responses as a strategy

Even if you think that a mail may be genuine, but are still not 100% sure then just use any other alternative means of communication like social media, voice call, etc and verify the details. If the mail is from a colleague then request them for a face-to-face meeting.

Use details from a basic in-person conversation you had with them previously. Make sure no reference to it is present online, especially in the mailbox.

Wait for them to respond and verify. This is akin to a security question and is bound to catch the perpetrator off guard.

Although not a certain proof it can still give you a very real chance of conducting a preliminary investigation by checking if the sender’s mail is compromised.

Analyse Email Content to Assign a Suspicion Score

Gmail, Outlook, Yahoo, and all other major and minor email service providers regularly update their spam policy. So most of the novice spammers get filtered out before they even reach your inbox

Investigate a Suspicious Email Professionally

With the help of MailXaminer, any investigative scenario can be completed in no time. This email forensics tool is the first choice of digital detectives to analyze all email-related data. It contains a smart IP identification feature that can assign a suspicion score to an email under investigation.

Any email that is being investigated with this tool is categorized into one of three color-coded groups. Green is for mail under the normal category, yellow is for the ones under suspicion, and red is for every mail that has been positively identified as malicious.

This ability to classify emails is just a small slice of this feature’s full utility which can produce a detailed word cloud, and create a link map of all the email senders and receivers which also includes the number of conversions exchanged between any two points.

So use the following set of steps and set up the tool to investigate suspicious mail.

Procedure to Classify Emails on Suspicious with a Tool

Step 1. Download Install Open and Activate the utility.

Step 2. Create a New Case > Add New Evidence

Step 3. Select the Email source where you got the potentially suspicious email evidence.

Step 4. Mark the Malicious IP option and Continue with the On-screen Instructions.

Step 5. Once the Evidece arrives inside the Tool visit the Search tab and Toggle List.

Step 6. There you can check for sure if or not an email belongs to the suspicious category.

Step 7. Perform other analyses and export the Results in any one of the available formats.

Steps to Take After an Investigation Proves Email as Suspicious

Once the confirmation is made that the email is a scam then you need to lodge a formal complaint.

For safety put the original message in the archive folder, so you don’t accidentally respond to it. Mork the sender as spam and your email client should.

Document all the data as this helps to deconstruct the modus operandi of a scammer/spammer.

Arrange the details in report format and send it to the email service provider, and cyber crime department. If the suspicious mail arrives in your work mail then the course of action will be taken by your company’s IT team. So inform them about the incident ASAP.

Detectives who are investigating the email material deemed suspicious need to document the format in a manner that is acceptable in a court of law.

Conclusion

Here in this write up we laid down the guidelines on what can you do to investigate a suspicious email you see in your mailbox. From reverse sender search to content analysis, we gave instructions on all the manual techniques available for easy identification of emails that smell fishy. Moreover, investigators can automate this classification of email evidence using the built in feature of the utility described earlier.

By Mohit

Mohit, a renowned digital and cyber forensics expert, specializes in extracting, analyzing, and preserving digital evidence. He helps organizations protect their sensitive data from cyber threats by uncovering hidden clues and providing actionable insights. Mohit's commitment to staying updated with the latest industry trends ensures he delivers valuable articles on safeguarding organizations from emerging cyber risks.

View all of Mohit's posts.