Should I report suspicious emails?

Posted by Aim_Fire_Ready@reddit | sysadmin | View on Reddit | 5 comments

Dear Abby, I just received a fake email supposedly from my webhost, but there were some clues that it wasn't legitimate and when I checked the headers, it lacked or failed SPF, DKIM, and DMARC. Whenever possible, I make a point to report suspicious emails, but the response varies wildly because the impersonated or actually compromised sender can be a friend, a family member, a coworker, an associate, a random stranger at a small company, big company, random office worker 5 states away, etc. etc. ad nauseum. Is this helpful? Do that many companies even have a process for handling reports of fake emails? I work alone in K12 IT, but if someone receives an email impersonating someone from our school, I certainly want to know about it, even though I don't have ANY time to spare for wild goose chases and the odds of any actual consequences for the offender are about even with airborne swine. Does it even make a difference? Sincerely, Discouraged in Detroit

5 Comments

[-]

GotBeaverFever@reddit

Dear Discouraged in Detroit, Most smaller companies - and certainly some larger ones as well - do not have a process for handling fake emails. So, if it's fake and would have failed the sending domain's SPF/DKIM/DMARC, I wouldn't bother reporting since spammers are going to spam and the organization already took steps to protect recipients. Moreover, if they don't have a process you might end up overwhelming the tech-fumbling office manager who barely can master reply-all or BCC. That said, if the outside org doesn't have SPF/DKIM/DMARC implemented (properly), then a courtesy heads up might be warranted to say "Hey, this spoof made it through because \_\_\_ wasn't set up to help prevent it. Please forward to your IT vendor or department, please." You shouldn't feel obligated to do this, however. In the end, if it looks like a compromise, I *always* report it. Beyond that, it's truly up to you. Abby

TK-CL1PPY@reddit

Also, get some sort of email gateway going. An email that failed SPF, DKIM, and DMARC should have been rejected and never even hit your server.

Aim_Fire_Ready@reddit (OP)

This particular email went to my personal/business email.

JwCS8pjrh3QBWfL@reddit

Turn on the Report message button in Outlook, if you're a Microsoft shop. [https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure?view=o365-worldwide](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure?view=o365-worldwide) Being K12, you might be Google Workspace, but I believe they have a similar feature.

jeezarchristron@reddit

If you are using could exchange there should be a phish button addon for outlook for all users to submit emails to IT. I use a third party version that comes with our security training. The user highlights the suspected email and clicks the button. That email is removed from their inbox and sent to IT. From there IT can determine if the email is good or bad and take whatever steps they deem necessary.

Reply to Post

5 Comments