Part 1: Everyday checks anyone can use
Part 2: Getting more technical for power readers

The inbox is your office lobby. Spoofing is the stranger in a colleague’s suit. Part 1 gives non‑technical readers the habits that stop most scams in under a minute, including how to reveal the real sender address in Outlook, Gmail, and Apple Mail when only a name appears. Part 2 takes you into message headers and the signals that experts use.

Part 1: The Basics

Spoofing emailThe 30‑second check before you click

1) Name vs. real address
Hover or tap to reveal the actual email address. Ask yourself if the name matches the address you know. Example: “Jane Partner” jane.partner@yourfirm.com feels right. “Jane Partner” <jane.partner@your‑fïrm.co> does not.

2) Domain sanity
Scan for lookalikes and swaps:

  • Typos: yourfirm.com vs yourflrm.com

  • Wrong ending: .co, .law. net, .jp, .ru when your firm uses .com

  • Hyphen illusions: secure‑yourfirm.com is not the same as secure.yourfirm.com

  • Internationalized characters that mimic Latin letters

3) Tone and timing
Is the style consistent with past emails from this person? Unusual urgency, secrecy, or off‑hours money requests are classic tells.

4) Link preview
Hover to see where a link actually goes. A “DocuSign” link that points at docuslgn‑secure.com is suspicious.

5) Attachments
Unexpected invoices, ZIP files, password‑protected documents, or anything that asks you to enable macros deserve a pause.

If any one item looks wrong, stop and escalate.

Show me the real address when my email app only shows a name

Sometimes your mail app hides the address behind a contact card or a details view. Here is how to reveal it quickly.

Outlook (Windows, new Outlook)

  1. Open the message.
  2. Select More actions.
  3. Choose View > View message details.
  4. In Message details, find the From line and you will see the address between angle brackets. Microsoft Support

Outlook (Windows, classic)

  1. Double‑click the message to open it in its own window.
  2. Go to File > Properties.
  3. The address appears in the Internet headers box and in the From line. Microsoft Support

Outlook on the web or Outlook.com

  1. Open the message.
  2. Select More actions, then View > View message details.
  3. Look for the From line. Microsoft Support

Gmail on the web (desktop)

  • To see full technical details, open the email, click the three dots next to Reply, then Show original. The From and all headers appear. Google Help
  • Quick peek at addressees: click the small down arrow next to “to me” in the header bar to expand the From and To details. Google Help

Gmail app (Android or iOS)
Open the message and tap the sender’s profile image or name to open the contact card, which includes the address. Google Help+1

Apple Mail on iPhone or iPad
Open the message, tap the sender’s name in the From line, then tap again to view the full address on the contact sheet. Apple Support Community

Apple Mail on Mac

  • One‑off: click the sender’s name in the header to reveal the address.
  • Always show addresses: in Mail, open Settings > Viewing, turn off Use Smart Addresses so names and email addresses display together. Apple Support

Tip for Mac power users: if you need deeper detail for a message, choose View > Message > All Headers to expose more fields in the header bar. Apple Support

iCloud Mail on the web
Open a message, choose More, then Show All Headers to reveal full header information, including From and routing. Apple Support

What to do if you have any doubt

  1. Stop. Do not click links, open attachments, or reply.
  2. Verify out of band. Call the person using a number you already have. Do not trust phone numbers in a suspicious email.
  3. Capture and report. Forward the message as an attachment (.eml or .msg) to IT or your phishing mailbox and use your mail client’s Report phishing option.
  4. Quarantine. Move it to Junk or Phishing.
  5. If you clicked or typed a password
    • Change your password immediately and confirm multi‑factor authentication is on.
    • Ask IT to check sign‑ins and mail‑forwarding rules.
    • If money is involved, call the bank at once to attempt a hold or recall.

Print‑ready checklists

Header and address red flags

  • Display name does not match the address you know
  • Reply‑To is different from From without a reason
  • Domain lookalike or odd top‑level domain
  • Message sent at unusual hours for the sender
  • Link preview does not match the label
  • Unexpected or risky attachments

Content red flags

  • Urgent request for payments, gift cards, or credentials
  • Requests to skip approvals or keep the exchange secret
  • Style and tone inconsistent with past messages

Verification steps

  • Reveal the sender’s actual address using the steps above
  • Call a known number to confirm any money or access change
  • Forward the message as an attachment to Security or IT

Pocket quick reference

Pause. Preview. Phone.
Pause for 30 seconds when money, passwords, or files are involved.
Preview the real sender, domain, and any links.
Phone a known number to confirm before paying or sharing access.

Getting more technical: how pros read headers (Part 2)

If you enjoy the forensics side, this section shows where spoofing leaves fingerprints and how to view full headers in each client.

How to open full headers

  • Gmail (web): open the email, select the three dots next to Reply, choose Show original. Google Help
  • Outlook, new Windows: open the message, select More actions > View > View message details. Microsoft Support
  • Outlook, classic Windows: double‑click the message, then File > Properties and read Internet headers. Microsoft Support
  • Outlook on the web: More actions > View message details. Microsoft Support
  • Apple Mail on Mac: View > Message > All Headers. Apple Support
  • iCloud Mail: More > Show All Headers in the message. Apple Support

A sample header and what each field tells you

From: "Jane Partner" <jane.partner@yourfirm.com>
Reply-To: accounts@yourfirm-payments.co
Sender: notify@mailer-app.net
Return-Path: bounces@mailer-app.net
Message-ID: <93485abf@mail.mailer-app.net>
Received: from [203.0.113.45] by mx.yourfirm.com with ESMTPS id ABC123
Authentication-Results: mx.yourfirm.com;
spf=softfail smtp.mailfrom=bounces@mailer-app.net;
dkim=none;
dmarc=fail (p=reject) header.from=yourfirm.com
  • From should match who you expect.
  • Reply‑To that points to a lookalike domain is a common redirect trick.
  • Sender and Return‑Path can differ for bulk mail, but mismatches are suspicious on finance requests.
  • Message‑ID usually contains the domain of the sending system.
  • Received shows the route into your server. Focus on the lines your own systems added.
  • Authentication‑Results summarizes three tests:
    • SPF checks whether the sending IP is authorized for the envelope domain.
    • DKIM verifies a cryptographic signature by the sender’s domain.
    • DMARC requires that the visible From domain aligns with SPF or DKIM. A DMARC fail for the domain shown to the user is a strong spoofing signal.

Field‑by‑field red flags

  • Header From: display name looks fine but the address belongs to a different or misspelled domain.
  • Reply‑To: differs from From without a clear reason.
  • Return‑Path: unrelated domain for a sensitive request.
  • Message‑ID: random hostnames that do not match the brand.
  • Received: source IP from an unexpected geography or a consumer ISP for a supposed enterprise sender.
  • Authentication‑Results: SPF softfail or fail, DKIM none or fail, DMARC fail.

Organizational defenses that make spoofing harder

  • Publish SPF, sign with DKIM, enforce DMARC. Start with DMARC monitoring, then move to quarantine and reject once alignment is working.
  • External sender tagging to remind users when a message is coming from outside.
  • Multi‑factor authentication for email and critical systems to limit damage if credentials leak.
  • Payment controls such as two‑person approval for bank changes and a required call‑back to a known number.
  • Awareness that fits real work. Short, frequent refreshers and realistic simulations beat annual marathons.
  • Alerting on new mail‑forwarding rules, unusual sign‑ins, and impossible travel.

Optional appendix for legal and finance teams

Wire verification mini‑policy

  1. No wire instructions are accepted by email alone.
  2. Verify identity and routing by live call to a known number on file.
  3. Two‑person approval for any change to payment details, with at least one approver outside the initiating email thread.
  4. Document the verification in the matter or payment file.

Wrap‑up

Most spoofing gets caught by three habits.
Pause when money, files, or passwords appear.
Preview the real sender and domain.
Phone a known number to confirm anything that moves funds or opens access.

Final Note: A Smarter Safety Net with 2b1 Care

2b1 CareEven the sharpest eyes can miss a cleverly disguised spoofed email. That’s why many organizations now combine staff awareness with layered technology.

2b1 Care – Advanced Email Security acts as a second set of eyes, scanning both incoming and outgoing mail for signs of spoofing, phishing, and other malicious tactics. It checks domains, links, and attachments in real time, reducing the chances of human error and helping firms maintain client trust.

Think of it as the security guard in your digital lobby—quietly reviewing every visitor badge so your team can focus on their work with confidence.

If protecting sensitive communication and client funds is critical to your practice, don’t wait for a close call. Call us today or fill out the form below to learn how 2b1 Care can strengthen your defenses against email spoofing and other advanced threats.

More Posts
Share Post