Introduction

It’s a beautiful morning and I go about my daily routine which includes checking my inbox. In my spam folder is an email accusing me of being a pervert (how charming). The sender claims to have hacked my device, watched me through my webcam, and is threatening to leak compromising footage unless I pay $1300 in cryptocurrency. The most unsettling part? The email appears to come from my own email address.

Had I not known about email spoofing, or if the message had struck a more plausible chord, it would have been easy to fall for the scam.

Unfortunately, phishing emails like this one arrive in inboxes every day. Some are sloppy, others alarmingly convincing, but all operate on the same principle - create just enough panic or trust to prompt a click. The reality is that it works, and it costs organisations and individuals millions every year. What’s worse, advances in artificial intelligence (AI) and deep-fake technology are fuelling a new wave of phishing campaigns that are harder to spot and more psychologically manipulative than ever before.

In this article, I’ll break down this real phishing email step by step. From email headers to domain protection protocols, this is how to spot, understand, and defend against phishing in practice.

Dissecting the Bait

Email spoofing is a common tactic used by cybercriminals to deceive recipients by forging the sender’s address, often making it look like the email came from a colleague, a company, or even the recipient themselves. This form of digital impersonation plays on trust, and it works alarmingly well therefore will come as no surprise that phishing is the most common type of cybercrime.

The reason spoofing remains so effective is that the underlying email protocols were never designed to verify a sender’s identity. Without modern defences like SPF, DKIM, and DMARC in place, email systems have little way of knowing that the message isn’t genuine.

To start our investigation, we can begin by analysing the email header using a tool like MXToolbox. In web-based Outlook, click on the three dots and select 'View' followed by 'View message source'. This will display the email's full header, which you can then copy and paste into MXToolbox. The tool will process the header and reveal key information, such as the original sending IP and domain. In this case, it highlights the true source of the email, which is different from my own address, confirming the email was spoofed.

SPF, DKIM and DMARC?

To protect against spoofed, organisations should implement three key email authentication standards: SPF, DKIM, and DMARC.

SPF (Sender Policy Framework) allows domain owners to specify which mail servers are authorised to send email on their behalf. When a receiving server gets a message, it checks the SPF record to ensure the sending IP is permitted and if not, the email can be rejected or flagged.

DKIM (DomainKeys Identified Mail) adds a digital signature to each outgoing email, using a private key only known to the domain. The recipient’s server uses the corresponding public key (published in DNS) to verify the message hasn’t been altered and really comes from the domain.

Finally, DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM by instructing receiving servers on what to do when authentication fails, such as quarantining or rejecting the message, and provides reporting back to the domain owner. When all three are properly configured, they form a strong line of defence that helps email recipients identify and block fraudulent messages, reducing the chances of a successful phishing attack.

The National Cyber Security Centre (NCSC) strongly recommends their use as part of a layered approach to email security. We can check how compliant an email is by checking the SPF, DKIM and DMARC compliance.

In this case, the IP address 45.195.191.108 and the domain tricitycomss.com are not authorised to send emails on behalf of Outlook. Additionally, the email fails to meet DMARC compliance and lacks proper DKIM alignment and authentication, further confirming its fraudulent nature.

Additionally, we can examine the antispam stamps markings assigned by Microsoft. In this case, the email has been given a Spam Confidence Level (SCL) of 8 out of 9, indicating a high likelihood of it being flagged as spam. Unfortunately, there does not seem to be a Phishing Confidence Level (PCL) which may indicate that Microsoft’s anti-phishing algorithms did not pick it up as malicious. This may happen if:

The email does not contain obvious indicators like malicious links or attachments that trigger the phishing detection algorithms.
The email may pass some initial checks like SPF/DKIM alignment or domain reputation, even though it's ultimately malicious. In this case, we can see it passed SPF alignment, which may be why.

Spam vs Phishing

This leads us nicely to the differences between spam and phishing, which have several key differences:

Intent: spam is primarily about unsolicited advertising, whereas phishing is about deceiving recipients to steal information or install malware.
Impact: spam can be an annoyance, but phishing can lead to serious security breaches, including identity theft and financial loss.
Approach: spam emails are often bulk-sent and lack personalised targeting while phishing emails are more sophisticated and tailored to manipulate individual recipients.

How to deal with spam and phishing emails?

Spam Emails:

Don’t Engage: avoid clicking links, downloading attachments, or replying.
Mark as Spam: use your email provider’s "mark as spam" or "junk" feature.
Delete: remove the email from your inbox or junk folder.
Report (if necessary): if spam becomes persistent, notify IT for further action.

Phishing Emails:

Do Not Interact: never click on links, open attachments, or respond to requests for sensitive information.
Verify: if unsure, confirm the email's legitimacy through a trusted source, like calling the person directly.
Report Immediately: forward the email to your IT or security team and use built-in reporting tools.
Follow Up: if you’ve interacted with a phishing email, follow your company’s protocol e.g. change passwords and monitor accounts for suspicious activity.

Post-Mortem of a Phish: Unpacking the Digital Evidence

Now that we have confirmed that the email has in fact been spoofed, we can have a look at the IP and domain name to see if there is any further information that we can work with. Running the IP through virustotal, abuseIPDB, WHOIS, and GreyNoise turns up very little. It appears the IP is associated with an exchange server located in South Africa or Germany with no reports of suspicious or malicious activity. What could this mean?

New or unreported attacks: the phishing campaign or malicious activity might be new, and the IP has not yet been flagged or reported. It can take some time for malicious activity to be detected and indexed by threat intelligence databases.
Spoofing or legitimate server: the IP could be that of a legitimate server or hosting provider. If the server is not compromised or involved in known malicious activity, it won't appear in threat intelligence reports. This suggests the phishing email may have been spoofed or sent using legitimate infrastructure.
Stealthy tactics: the attacker might be using advanced techniques, such as rotating IP addresses or employing services that obfuscate the origin of malicious traffic. This could involve using compromised legitimate servers or VPNs to hide the true source.

Additionally, we can look at the transactional history for the Litecoin address using two different blockchain explorers and can see that so far there has been no activity (thankfully).

This suggests that the scammer either hasn't had any victims yet, or they are using a unique wallet for each target, both common tactics in phishing campaigns. Using unique wallets helps criminals avoid detection and makes it harder for authorities to trace funds. However, the lack of transactions also gives us a small but significant insight, this may be a mass phishing attempt rather than a targeted one, likely sent to thousands of addresses in the hope that even a small number will respond.

From a threat intelligence perspective, this also means the wallet hasn’t been flagged or blacklisted yet, which could allow the scam to continue unnoticed. By reporting the wallet address to abuse databases and relevant crypto exchanges, we contribute to a broader ecosystem of defence and disrupt the attacker’s ability to cash out. While it may not lead to an arrest, every bit of friction counts.

Ultimately, this quiet Litecoin address, paired with a spoofed email and an unremarkable IP, paints a picture of a low-sophistication, high-volume campaign but one that still poses a serious threat to those unprepared. The relative ease with which this scam was executed highlights just how accessible phishing has become to low-level cybercriminals, and why robust, layered defences are more essential than ever.

With the technical investigation exhausted, we’re left with a clear conclusion: this phishing email, while crude in its execution, leveraged spoofing techniques and exploited gaps in email authentication to appear more credible. The lack of suspicious activity tied to the IP or Litecoin wallet doesn’t diminish the threat, it highlights how low-effort, mass-sent scams can quietly persist beneath the radar, waiting for someone to panic and pay. This case serves as a reminder that even seemingly obvious scams can gain traction if the right psychological buttons are pushed. But as we’ve seen, a little digital literacy and a few simple security controls can go a long way in pulling back the curtain on a phishing attempt.

Building Defences: NCSC’s Layered Approach to Stopping Phishing

The National Cyber Security Centre (NCSC) advocates for a layered defence strategy using a combination of technical controls, user awareness, and incident response planning that works together to reduce the risk and impact of phishing. No single solution is foolproof, but layering multiple defences makes it significantly harder for attackers to succeed so, let’s break down how to improve your defences using the case study as an example.

1. Strengthen your email infrastructure As we saw in this investigation, email spoofing succeeds when email systems lack authentication controls. Implementing SPF, DKIM, and DMARC is critical for all organisations. These standards ensure that only authorised servers can send mail on your domain’s behalf and give receiving servers the tools to verify authenticity. The NCSC also recommends regularly auditing these records to maintain protection as infrastructure changes.

2. Filter and block known threats A well-configured email gateway can block many phishing messages before they even reach the inbox. These filters use threat intelligence, reputation databases, and machine learning (ML) to detect and quarantine suspicious emails, URLs, or attachments. Organisations should ensure these filters are up-to-date and properly tuned. One example that I had the opportunity to gain exposure to is Mimecast which works by sitting in between your mail server and the outside world, inspecting inbound emails in real time for signs of malicious content, spoofing, or impersonation. It handily uses threat intelligence, signature-based detection, and sandboxing to block known malware and suspicious links.

3. Train users to recognise and report Even the best filters miss some threats, especially highly targeted ones. This is why user awareness and training is a vital layer of defence. Employees should be trained to spot suspicious signs like spoofed addresses, urgent language, or unusual requests. They should also know how to report phishing attempts quickly and safely.

After having a successful teaching career and educating many students who did not want to actively engage in learning, what do I think organisations could do to ensure that training and awareness is impactful?

Create engaging, interactive, and directly relevant content to the learner. For example, adding a competitive element to your training by gamifying it, e.g. this could be competition between different teams with the highest reports of phishing and/or lowest number of clicks on simulated phishing emails.
Just as in the classroom, the most effective lessons are those that connect theory to real-world situations and allow people to apply knowledge in a practical way. In the context of cybersecurity, that means moving away from passive slide decks and instead using scenario-based learning, live demonstrations, and phishing simulations that mirror the kinds of emails users might actually receive. Run phishing simulation campaigns that mimic real-world attacks, like fake invoices, credential harvesters, or spear-phishing attempts. When users fall for a simulated phish, it’s a safe way to teach a lesson and you can follow up immediately with tips on what to watch out for next time.
By fostering curiosity, encouraging questions, and framing mistakes as learning opportunities rather than failures, you can create a culture where people feel confident recognising and responding to threats and are invested in making an impact.

4. Protect accounts with strong authentication Phishing attacks often target credentials, such as usernames and passwords, with the goal of gaining unauthorised access to sensitive systems. To mitigate the damage of a compromised account, the National Cyber Security Centre (NCSC) strongly advocates for the use of Multi-Factor Authentication (MFA).

MFA adds an additional layer of protection by requiring users to provide multiple forms of verification before access is granted, typically something they know (like a password) and something they have (such as a smartphone app or hardware token). Even if an attacker successfully steals a password through phishing, MFA makes it significantly more difficult for them to access accounts.

In addition, organisations should consider implementing adaptive MFA, which adjusts the level of security based on factors like the user’s location, device, or time of access. This further strengthens the security posture, ensuring that account protection is dynamic and responds to potential threats in real-time.

5. Be prepared to respond No matter how robust the preventive measures, phishing attacks will still occur. Therefore, it’s crucial for organisations to have a well-defined incident response plan in place. The NCSC advises organisations to create clear and actionable protocols for handling phishing attempts, whether successful or not. These protocols should include immediate steps for investigation, containment, and recovery, as well as clear communication strategies to ensure all stakeholders are informed. In particular, having a designated response team with predefined roles and responsibilities ensures that responses are swift and coordinated.

Additionally, the organisation should ensure that all employees are trained on how to report suspicious emails and that reports are acted on promptly. For example, setting up automated alerts for common phishing indicators can accelerate the detection process. After the incident is contained, conducting a thorough post-incident analysis to identify weaknesses and refine the response plan is essential. This process not only helps mitigate the current risk but also strengthens future resilience. In the long run, having an adaptable, well-practised response plan ensures that organisations can bounce back quickly and use every phishing attempt as an opportunity for improvement.

Lessons Learned and Final Thoughts

This phishing attempt may have been clumsy in tone, but it still ticked several classic boxes that could deceive someone who isn't trained to spot the signs. Among the key indicators:

Spoofed sender address that mimicked the victim’s own email, a tactic designed to immediately grab attention and sow confusion.
Emotional manipulation through threatening and sensational language, designed to provoke fear and panic.
A cryptocurrency wallet demanding anonymous payment is often a red flag in extortion-based phishing schemes.
Lack of technical authentication, as revealed through the email header analysis failing SPF, DKIM, and DMARC checks.

Despite these signs, the email managed to bypass filters and highlights a gap in automated detection, especially when spoofed messages use infrastructure that hasn’t yet been flagged as malicious. It also reflects a broader challenge in email security: modern phishing campaigns can evade traditional defences by leveraging clean infrastructure, rotating wallet addresses, or exploiting poorly configured domains.

What’s especially alarming is how accessible and scalable these attacks have become. This campaign is an example of how you can leverage low-effort, high-volume attacks that rely on quantity over quality. These types of scams have been seen targeting businesses, government departments, and private individuals alike which is why phishing remains one of the most common and successful vectors for cybercrime.

By breaking down this real-world example and following the NCSC’s guidance, we can turn a potential threat into a valuable lesson when we remember that awareness is our first line of defence.

Anatomy of a Phish: Breaking Down a Scam Email that Landed in my Inbox