What Is Email Spoofing?
Email spoofing is sending emails from a forged or misleading sender address. Spoofed emails attempt to trick you into doing something the spoofer wants (sending them money, providing personal information, downloading malware, and so on) by pretending to be from someone you know and trust.
Be alert to clues that indicate an email might be spoofed or forged.
Look Carefully at the Sender Address
- Is it a umich.edu address? Email about U-M business should come from a U-M email account—one that ends in @umich.edu, @med.umich.edu, or @umflint.edu. Scammers sometimes embed umich.edu into the middle of the address to try to trick you, so look carefully.
- Does the address match the display name? Forgers can sign up for a free account (GMail, Yahoo Mail, and so on), create an email address similar to someone else's name, and set the display name to anything they want. You might see a forged email where the sender's name is the name of your unit's dean, but the actual sending email address is clearly not the dean's address.
- Has the apparent sender used this address before? Ask yourself whether this is the sending address you normally see on emails from that particular person.
- Is the name spelled correctly? The sender name might look familiar at first glance, but when you look closer you may see that one or two letters are out of place, or a number has been used in place of a letter (for example, the number 5 instead of the letter S).
- Compare the From address to the Reply-To address. In GMail, click the triangle below the sender name to see address details. Be suspicious if the From address is clearly a U-M address, but the Reply-To address is not.
A Deeper Check—DKIM
To do that, you'll need to see the full headers, or original, of the message. Instructions for that vary depending on the email client you are using:
- In GMail, click the More icon (three dots arranged in a vertical line) in the upper right corner of the message window, and choose Show original from the pop-up list.
- For instructions more instructions on reporting with GMail and other email clients, see Report Phishing & Email Abuse.
Look for the DKIM line. If the message is from U-M, it will say 'PASS’ with domain umich.edu.