If this is your first time visiting, check out the story behind this blog. Otherwise, please join the others by subscribing to my RSS feed or get updates via email so you don't miss any personal finance articles!
I got an email that says Bank of America requires me to update my account information and therefore need me to log into my online account. In the email, it also has a link for me to click on where I would be able to get straight to the login page. After reading it, the email definitely did not look legitimate so I trashed it.
The event triggered me to write this post because there is one way to help figure out if an email is from a legitimate source called email headers (or message headers). Every email is sent with this header information which contains where it came from, which servers, date and time and also some information that can help us determine the authenticity of an email.
One of the schemes people like to use is to fake a “from” address. For example, the Bank of America example had an email address of onlinebanking@alert.bankofamerica.com to trick you into thinking that it actually came from the bank. However, there is a return path inside the header which will provide crucial information to help build your “warm and fuzzy” feeling of this email.
In order to look at it, right-click on the email in question and click on Options (the example is given in Outlook 2007 but other email programs has the same feature too).

Doing so brings up the following dialog box:

As you can see in the above picture, the internet headers portion includes information that you usually don’t see. On the very first line, there will be something called the “return-path”. Usually, emails from a company will have a return-path that also has the same domain. If this is different, it means that the email was not sent from the same server as the company’s standard email system and would make me suspicious. The Bank of America email showed Return-Path:
Of course, the best thing to do is never click on any link from an email. For example, even if you believe the Bank of America email is genuine, launch your browser and log onto the website manually.
Related Posts
- Last day of an interesting month!
- Starbucks Gift Card Giveaway
- Winner of the Microsoft Money 2007 Deluxe is…
- California’s Weird Law for Cheques
- Bank of America Buys Merrill Lynch




{ 1 trackback }
{ 7 comments… read them below or add one }
For something like banking, it’s best to never reply to an email, no mater how legit it looks. Almost anything can be spoofed it seems these days. Just create a shortcut to your bank, or horror of horrors, just type in the URL.
Great method for combating phishing. Thanks
Great to see somebody addressing this issue with all the SPAM we are bombarded with on a daily basis. I get updates from my bank everyday in my inbox but never provided any links. If there is a link in the email it isn’t legit. At least for me.
Lauren: That’s also a good indicator. There are many little things that you are tell whether an email is from a bad source or not but the bottom line is that we need to be careful with these things.
This was very interesting info - thanks!
Chief Family Officer: You are welcome!
Debt Free: Yup I always type in the URL for everything
Whenever I visit my dad and do this, he always makes a comment that it’s slower but it is actually faster for me to type out the URL than to find the shortcut or bookmark with a mouse.