How to Investigate Phishing Emails: Complete Guide

Introduction

Phishing is the single most reported cybercrime category in the United States, and the volume keeps climbing. According to the FBI's 2024 Internet Crime Report, phishing and spoofing generated 193,407 complaints in the US alone. Globally, APWG tracked 3.76 million phishing attacks in 2024 — roughly 10,000 per day.

Most organizations treat a suspicious email as a one-click problem: report it, delete it, move on. That response leaves the real questions unanswered: who sent it, how it cleared your filters, whether authentication was faked, and whether anyone already clicked a link or opened an attachment.

This guide walks through a complete phishing email investigation: the step-by-step process, what you need before you start, the indicators that separate low-risk phishing from active incidents, and when the situation calls for professional forensic expertise.

TL;DR

  • Preserve first — clicking, forwarding, or deleting before investigation destroys evidence and can trigger further compromise
  • Email headers are the forensic core — SPF, DKIM, and DMARC failures plus routing anomalies in the Received chain reveal spoofing
  • Scope determines response severity — map who received it, who clicked, and what happened afterward before assigning a threat level
  • BEC attacks carry disproportionate risk — FBI data shows BEC generates 40x more financial loss per complaint than generic phishing
  • Bring in professional investigators for targeted attacks, suspected compromise, or any matter heading toward litigation

How to Investigate a Phishing Email: Step-by-Step

Step 1: Preserve and Isolate the Email

Before anything else: do not click links, open attachments, reply, or forward the email. Each of these actions carries real consequences:

  • Credential theft or drive-by malware downloads result from clicking links
  • Malicious code execution on your primary machine can follow from opening attachments
  • Forwarding or replying confirms your address is active and exposes metadata to the attacker
  • Deleting the email destroys forensic evidence permanently

Move the email to a dedicated investigation folder, or export it as a raw .eml (Gmail, Apple Mail) or .msg (Outlook) file. Screenshots are not sufficient because they strip the header metadata that makes forensic analysis possible.

Step 2: Extract and Analyze Email Headers

Email headers contain the routing history, authentication results, and originating IP data that reveal whether a message is legitimate. Access raw headers through:

  • Gmail: Three-dot menu → Show original
  • Outlook: File → Properties → Internet headers
  • Apple Mail: View → Message → All Headers

Paste the raw output into a header analyzer such as MxToolbox's Email Header Analyzer or Microsoft's Azure tool to parse the data into a readable format.

What to examine:

Header Field What to Look For
From vs. Return-Path Discrepancies indicate spoofing
Received chain (bottom to top) Unusual routing, unexpected relay servers
Originating IP Check against geo-location and reputation databases
SPF result FAIL or SOFTFAIL = sender not authorized by domain
DKIM result FAIL = message signature broken or absent
DMARC result FAIL = neither SPF nor DKIM aligned with the From domain

Email header authentication fields SPF DKIM DMARC spoofing indicators reference table

CISA notes that SPF and DKIM allow a sending domain to "watermark" emails, making unauthorized messages easier to detect. A simultaneous failure across all three authentication checks is a strong spoofing signal — though DMARC won't catch cousin-domain or display-name attacks. Treat header analysis as one layer of the investigation, not the complete picture.

Step 3: Inspect URLs and Analyze Attachments Safely

Proofpoint's 2025 Human Factor report found that URLs appear 4x more often than attachments in malicious emails, which makes URL inspection the higher priority in most cases.

For URLs:

  • Hover over links to reveal the true destination before clicking anything
  • Decode shortened URLs using an expander tool
  • Submit suspicious URLs to VirusTotal or URLVoid for reputation analysis against multiple blocklists — never click directly

For attachments:

  • Never open on a primary or production machine
  • Use a sandboxed virtual machine or an online sandbox service
  • Observe behaviors: outbound network connections, new process creation, file encryption, or registry changes — all indicate active malicious behavior

Step 4: Evaluate Email Content for Social Engineering Indicators

Content analysis identifies intent, not authenticity. Look for:

  • Urgency or threat language — "Your account will be suspended in 24 hours"
  • Authority impersonation — fake executives, IT departments, or trusted vendors
  • Generic salutations — "Dear Customer" rather than your name
  • Mismatched requests — a CFO asking for gift cards via email
  • Grammar and spelling anomalies (note: sophisticated attacks, especially BEC, often have none)

Context matters as much as content. Beyond the text itself, consider:

  • Would this person normally communicate this way?
  • Does the request align with their actual role?
  • Is the timing suspicious (a wire transfer request on a Friday afternoon, for example)?

Step 5: Determine Blast Radius, Document Findings, and Report

Start by assessing scope. Search mail flow logs or use compliance search tools (Microsoft Purview, Google Vault) to identify other recipients. Check delivery logs, network/proxy records, and EDR telemetry to determine whether anyone clicked.

Document everything in a structured format:

  • Email origin and routing path
  • Authentication results (SPF/DKIM/DMARC)
  • Identified indicators of compromise (IOCs): URLs, IPs, domains, file hashes
  • Affected users and evidence of interaction
  • Recommended remediation actions

Report externally where appropriate:

What You Need Before Starting a Phishing Email Investigation

Get your tools, access, and documentation in order before touching anything — especially if the case may lead to legal action or regulatory reporting. Missing prerequisites discovered mid-investigation can compromise evidence integrity.

Tools and Access Requirements

  • Header analysis tool: MxToolbox, Azure Email Header Analyzer
  • URL reputation checker: VirusTotal, URLVoid
  • Sandbox environment: For safe attachment execution and behavioral analysis
  • Mail flow log access: Email security gateway, Microsoft Purview, or Google Vault
  • Threat intelligence feeds: For IP and domain reputation correlation

Phishing email investigation toolkit five essential tools and access requirements

Permissions and Environment Readiness

Investigators need access to:

  • Audit logs and email delivery records
  • In Microsoft 365 environments, mailbox auditing must be enabled in advance — if it wasn't turned on before the incident, forensic log data may be unavailable
  • EDR and SIEM platforms for endpoint and network telemetry

Safety and Compliance Checks

All live URL and attachment analysis must happen in isolated environments, never on production systems. Running analysis directly on a production machine risks active compromise.

If the investigation may support legal proceedings, establish chain-of-custody documentation from step one. NIST SP 800-86 requires a complete log of every person with access to evidence and all actions performed on it.

Key compliance checkpoints before proceeding:

  • Confirm sandbox or isolated VM is ready and network-isolated
  • Document who has custody of the original email artifact
  • Verify audit logging is active on all relevant platforms

Key Indicators That Determine Phishing Severity and Scope

Not all phishing emails carry the same risk. These five indicators help triage severity and determine response speed.

Authentication Failure Signals

A single SPF, DKIM, or DMARC failure can indicate a configuration issue. All three failing simultaneously strongly suggests spoofed or malicious sender infrastructure — meaning the message bypassed or defeated email security controls entirely.

Payload Presence and Type Passive phishing collects information through credential harvesting pages. Active payload delivery is a different threat level — executables, macro-enabled documents, or PDFs with embedded scripts can install malware, establish persistence, or encrypt files. Payload type determines how quickly containment becomes urgent.

Distribution Scope A single targeted message — spear phishing — suggests a researched, deliberate attack against a specific individual or role. Mass distribution indicates a campaign.

The FBI's 2024 data illustrates the risk gap: 21,442 BEC complaints generated $2.77 billion in losses, while 193,407 phishing/spoofing complaints generated $70 million — targeted attacks cause roughly 40x more financial damage per incident.

BEC versus generic phishing FBI 2024 financial loss per complaint comparison infographic

Evidence of User Interaction Confirming whether anyone clicked a link or opened an attachment changes the investigation from threat assessment to active incident response. Network logs, proxy records, and EDR telemetry establish this. Every hour without scope clarity allows potential compromise to expand.

Post-Delivery Account Compromise Indicators

These signal that the phishing attack succeeded:

  • New inbox forwarding rules appearing after the email arrived
  • Login activity from unusual geographic locations or odd hours
  • Unauthorized password changes
  • Unexpected access to sensitive files or SharePoint
  • Internal phishing messages sent from a compromised account

Microsoft's 2025 Digital Defense Report identifies inbox-rule manipulation, unauthorized SharePoint access, and email-thread hijacking as common post-BEC-compromise tactics. When these indicators surface, containment and evidence preservation take priority over continued assessment.

Common Mistakes That Compromise a Phishing Email Investigation

Even experienced teams fall into predictable traps. These four mistakes are the most common — and the most costly.

Don't touch before you preserve. Opening attachments "to check," clicking links to test where they go, or deleting the email to contain it are among the most destructive first responses. They can trigger malware, destroy metadata, and invalidate any chain-of-custody argument in legal proceedings.

Don't stop at what the email looks like. Grammar errors and obvious branding mismatches catch unsophisticated attacks. Business email compromise and vendor impersonation attacks often have perfect grammar, legitimate-looking sender domains, and no obvious red flags. Header and authentication analysis is non-negotiable regardless of how professional the email looks.

Don't treat it as a single event. Treating a phishing email as an isolated incident without checking whether others received it delays containment. The blast radius grows every hour while the investigation stays narrowly focused on the original message.

Don't reconstruct documentation after the fact. Investigations without contemporaneous records won't hold up in legal proceedings, insurance claims, or regulatory responses. Every step, tool used, finding, and timestamp needs to be recorded in a reproducible format from the start.

When to Escalate to Professional Phishing Investigators

Internal teams can handle routine phishing triage. But certain scenarios require forensic rigor, legal admissibility standards, and threat intelligence depth that exceed what most security teams can deliver.

Escalate to professional investigators when you're facing:

  • Targeted attacks against executives or privileged users (spear phishing or whaling)
  • Suspected BEC involving financial transactions — the average wire-transfer request in BEC attacks reached $128,980 in Q4 2024, nearly double the prior quarter
  • Phishing linked to an active or suspected data breach
  • Evidence that needs to be preserved for litigation or law enforcement referral
  • Situations where internal teams lack the tools, access, or authority to conduct a complete cross-system investigation

Five escalation triggers requiring professional phishing forensic investigator involvement

The SANS 2024 SOC Survey found that lack of skilled staff (14.4%) and lack of enterprise-wide visibility (12.9%) are among the primary barriers to full SOC utilization; approximately half of surveyed organizations outsource digital forensics partially or entirely. When internal capacity runs short, the right external partner matters.

Prudential Associates fields certified examiners and former law enforcement investigators with direct experience in BEC and email fraud cases. Their team holds certifications across the core disciplines phishing investigations require:

  • GCFA / GCIH: Forensic analysis and incident handling
  • GREM: Malware reverse engineering
  • EnCE / CISSP: Evidence examination and security architecture
  • CFE: Fraud examination for financial fraud cases

Former FBI and law enforcement investigators on staff have taken BEC and email fraud cases through to prosecution. Forensic examiners have delivered expert witness testimony in state and federal courts on hundreds of occasions.

For phishing cases with legal implications, Prudential Associates conducts forensically sound examinations that maintain chain of custody and produce court-admissible findings, supporting attorneys through declaration, deposition, and testimony.

For organizations without EDR or SIEM infrastructure, their team can work from available evidence and advise on remediation based on what the existing environment provides.

Frequently Asked Questions

Can you trace a phishing email?

Yes, phishing emails can be traced through header analysis — specifically the Received chain and originating IP address. Sophisticated attackers use relay servers, VPNs, or compromised infrastructure to obscure their origin, which is where professional forensic tools and attribution experience add meaningful depth.

Who investigates phishing emails?

Internal security teams and SOC analysts handle routine phishing triage. Complex cases involving breaches, financial fraud, BEC, or litigation are escalated to professional cybersecurity and digital forensics firms or referred directly to law enforcement agencies like the FBI's IC3.

What is the easiest way to report a phishing email?

Forward to your organization's security team or abuse mailbox first. For external reporting, use CISA (phishing-report@us-cert.gov), APWG (reportphishing@apwg.org), or your email provider's built-in reporting function — most major platforms have a one-click option.

Can I be hacked if I reply to an email?

Replying confirms your address is active and exposes metadata, but the greater risks are clicking embedded links or opening attachments. Advanced attacks can also use replies to gather intelligence or initiate follow-on social engineering, so replying is never without risk.

What are 7 signs of phishing?

The most reliable indicators include:

  • Mismatched or lookalike sender domains
  • Urgent or threatening language, requests for credentials or payment
  • Unexpected attachments or links that don't match their display text
  • Generic greetings ("Dear Customer")
  • SPF/DKIM/DMARC authentication failures in the email headers

Is digital investigation legit?

Yes. Digital forensic investigation is a recognized discipline used in civil litigation, criminal cases, and regulatory proceedings. Credentials such as CFCE, EnCE, GCFA, and CISSP indicate practitioners who work to admissibility standards under frameworks like NIST SP 800-86.