How to Spot a Spoof

What Is Email Spoofing?

Email spoofing is sending emails from a forged or misleading sender address. Spoofed emails attempt to trick you into doing something the spoofer wants (sending them money, providing personal information, downloading malware, and so on) by pretending to be from someone you know and trust.

Be alert to clues that indicate an email might be spoofed or forged.

Look Carefully at the Sender Address

  • Is it a umich.edu address? Email about U-M business should come from a U-M email account (ending in @umich.edu, @med.umich.edu, or @umflint.edu).
  • Does the address match the display name? Forgers can sign up for a free account (GMail, Yahoo Mail, and so on), create an email address similar to someone else's name, and set the display name to anything they want. You might see a forged email where the sender's name is the name of your unit's dean, but the actual sending email address is clearly not the dean's address.
  • Has the apparent sender used this address before? Ask yourself whether this is the sending address you normally see on emails from that particular person.
  • Is the name spelled correctly? The sender name might look familiar at first glance, but when you look closer you may see that one or two letters are out of place, or a number has been used in place of a letter (for example, the number 5 instead of the letter S).
  • Compare the From address to the Reply-To address. In GMail, click the triangle next to the sender name to see address details. Be suspicious if the From address is clearly a U-M address, but the Reply-To address is not.

Is the Content Suspicious?

  • Phish and scam emails seen at U-M. Check out fraudulent email reported by others at U-M to see if the email you received is making the rounds.
  • Scams seen at U-M. Check out some common scams as well as scams and fraud reported at U-M to get a sense of what to watch out for.
  • About phishing. Get some general information about phishing and suspicious email.

A Deeper Check—DKIM

You can check the DKIM information—DomainKeys Identified Mail—to verify whether an email that claims to be sent from the university really is.

To do that, you'll need to see the full headers, or original, of the message. Instructions for that vary depending on the email client you are using:

Look for the DKIM line. If the message is from U-M, it will say 'PASS’ with domain umich.edu.