Well this video ended up being way longer and way more work than I thought (I believe it’s the longest serious video I’ve ever made). Be sure to like it because if it flops I'm going to stick my head in the Large Hadron Collider

I did not know non-ASCII characters were allowed in email addresses. Thank you for such a detailed informative video.

Wanna know what you do? Get a font that only has the a-z characters, and also a couple other important ones like 0-9 and some important symbols. Then set a fallback font to make the email address super obviously not latin characters. This is how you COULD do it.

Yes, last week. I kept getting a message saying they were from Netflix and they were going to cancel my account if I didn’t update my address. Funny thing is I don’t have an account with Netflix

Best policy: Never click on a hypertext link in an email.

This video is extremely informative, extremely well done, and is the kind of video that can make a difference for a lot of people. Thanks Joe, well done.

nice video! im gonna show this to my grandma

This video doesn't deserve one like... but hundreds Just for the detailed yet easy-to-follow explanations to educate as many people as possible about email security. In addition, it demystifies the fact that it is "complicated" to know how to do it by having taken the time to give several examples on various messaging software which is the right compromise between very specialized videos on a software or popularization videos which talk about methods, but do not show any. Basically, I find your videos, just the right amount of technique and above all always well anchored in concrete at each step so that even my mother who is afraid of turning off her PC by clicking on the wrong button can understand and reproduce what was shown, and I admit to not having either the talent or the patience to find this balance (like what it is a profession) because perhaps like many amateurs/pros, once you master it, you have trouble understanding what to explain for example or go to the menus as an example. PS: I know that I comment on videos that are probably starting to date, but hey, I come across them by pure chance of the algorithm.

I've been tracking spammers since the 1990s, and this video definitely covered the bases without getting too hairy for most folk. This can be an intimidating task, so simple straightforward examples are key and should cover most such threats. Good coverage of caveats, too. There are so so many angles, and limitations, so those this-but caveats are important. Something can look clean, but still fail the sniff test (BS Meter). Great job!

Corporate Email Security Professional here. Possibly the best attempt at an explanation I've seen trying to bring the subject down to a general computer-user level, although I expect plenty of heads will still explode :-) Not perfect mind you, there's some nitpicking to be had in the weeds, but nothing of consequence for your viewers. I was impressed that generally when I heard something and went "ahhh, that's a problem/wrong because..." within a minute or two you had covered that case.

Normal person: just checks if the email makes sense and doesn’t click on the link and goes to the website directly ThioJoe: Makes a 30 minute investigation and reports them to the FBI

Thanks, just finished setting up DKIM, Spf and DMARK for my email domain.

Thanks Joe. I just finished upgrading our agency email system yesterday. You're video timing is impeccable!

One of the best defences against such scams is to have several email addresses - one that only your friends and family have, another for your bank, a third for well known suppliers and trusted companies and several throw away ones that you only give out to folk that you don't really trust. (You can make this easy by using forwarding on them, so that you don't have to log on to several servers.) Then when you get an email from "your bank" about an apparent problem with your account (already highly unlikely) and it arrives on one of your throw away addresses, you know immediately that it's fake because you don't use that email address for banking,

Thanks You made this topic easy to understand. Very informative.

Wow man, You really did your homework on this one huh? 😁 I wanna say I am really thankful you are taking the time to make Videos like this, because there are SO MANY Tech people out there teaching people how to hack and scam, (I think just to they can Create the "Problem" so then THEY can become the "Solution") and no one is Teach people how to Defend themselves from these Hackers. I'm really glad you are fighting the good fight here man. Thanks!

Facinating - but so much information that at the end I just said “What’d he say?” It’s a difficult subject, and I think there’s a real opportunity for someone to incorporate these logic tree steps into mail clients.

The sad part is that anyone who can follow your entire presentation without their eyes glazing over was already capable enough of avoiding scam email. It is simply too complex for average email users to keep in their heads.

1:10 wow I laughed so hard over this part, I literally almost died from suffocation.

Several years from now, the fact that this video was necessary will be a source of amusement.

It is getting to the point that flying to the sender and visiting them in person might actually be easier than exercising this level of scrutiny for every one of the hundreds of emails that show up every morning.

In the first 7min its already information overload... 👌👌👌

I try to pass this knowledge on to the users in my company. But in the end, I just end up telling them "don't click on links or attachments in email" Only if they were expecting something from someone they have personally spoken to.

Man, this was a thoughtful and well put together presentation. I can't wait to get lazy, get scammed, and then go back to do these tests on the phishing email that got me and say "....yup, there it was, all along. 😑"

This is great , as a person who used to play with other companies open SMTP gateways for fun this is interesting, but they have tightened up the rules now with these SPF/DKIM and DMARC records. Thank you for this as it was fun to get a refresher for SMTP.

The fact that there needs to be a 30 minute video explaining all of this tells me that these big tech companies have some interest in not protecting their users. Most, if not all of this, seems like checks that could be built into our email clients fairly easily.

This is giving me a headache, but thank you.

Wow finally somebody who explained SPF DKIM and DMARC in an understandable way

Damn it! I was in that 65.6% of muppets in the [DMARC] p=none category. That'll teach me to not blindly copy/paste settings. DNS updated. Outstanding video!

*Joe, I thank you for explaining the difference between cyrillic "a" and latin "a." in a comment below, and I am paraphrasing, most of us know not to get involved with spoof emails, although I do report spoofs, for instance, from my bank. I have no idea what they can do with the knowledge; I just feel like a good scout for doing it*

Thanks for having actual captions for the Deaf - makes video much easier to follow - thank you for your good work!

As mailserver admin, overall a solid video. I do think it's a bit...weird to show the "X% of domains use SPF" statistic when the absolute majority of domains have never and never will send mails. Most people outsource their mails to providers nowadays, because, as you've shown brilliantly in this video, email is a pain.

Thanks for informing us about these scams! Your a lifesaver! Love from SA

For the people that feel this video was too complex, I remind you that there is a pause button and you can always repeat it and take it in smaller doses.

Thanks for this amazing video! I really like this longer and more in-depth style. Also realized that when I configured my email I just took the recommendation to use "~all" in the spf entry. I really didn't understand the meaning of all those things back then and was glad that I could just copy stuff per tutorial. Thanks to you, I know can confidently know what those entries mean and also changed the "~all" to "-all"!

I remember the time in 7th grade where my language arts teacher got a typical phishing email, and he printed it out and made copies for us to pass around so we know what those emails look like generally and to never listen to them

30min of intensive knowledge explains why spoofs and scams will easily continue to make victims.

I need this guy to be my teacher, never could I pay attention for a whole half hour

I liked this, watched it entirely. Although I already knew most of what's it about, it was very informative.

This guy put no ads in 30 minutes wow

Actually in outlook, if you just hover the mouse over each sender in the inbox, it will show you who the real sender is. So if the return email doesn't match the actual sender, then you know its a phishing email without ever having to open it.

I have long been annoyed that email software doesn't easily and prominently show the actual email address of the sender and reply-to. Some only show the alias and not even the email address! Shameful because they know full well that this aids scammers. Definitely learned a number of things from this video and am now even more annoyed that email software doesn't make this easier.

This one is very important ❤️

I'm sending this to my mom and dad since they might fall for something like this. It's good to keep them informed! My dad once got one but it was for something he didn't have so luckily he asked my brother about it and he could tell it was a scam. Thanks for making this video!

SPF and DKIM do authentication only, they don't provide any enforcement. That is what DMARC is for. Also, FYI, by default, O365 Enterprise tenants are configured to softfail regardless of what a domain's DMARC record is configured for. You have to enable full DMARC compliance if you want it configured that way. From the domain owners perspective, DMARC also provides a statistical and forensic mechanism so you can not only prevent unauthorized senders from using your domain, you can collect statistical information from email relays on the internet that lets you know how many emails "sent" from your domain are legitimate vs spoofed and which email servers are trying to spoof your domain. These statistics enable you to calculate a DMARC compliance rate which can tell you if someone is attempting to use your domain maliciously.

"Nike" has bee BLOWING me up lately on my KZbin channel email 🤣

Thank you

This video is a real eye-opener

Also, for the non-technical, the subject matter and content is a good indication - winning anything where you have not entered, in another country, requiring to verify something as UPS could not deliver your parcel and you are not living in the US. And they start 'dear mail ", etc

Also you should watch out for if the domain has zero-with spaces because those have no width so they are invisible

This was very in-depth. Thank you. My father, who is 72 years old, fell for a phishing email. Fortunately I noticed it just a few minutes later, and had him cancel his card, and change is email password. That could have been bad.

A great tip for everyone is when you get a email that claims it's from Paypal or something they will always address you with the name you put in the account not your email address which is Another clear hint it's not from the actual company I noticed that from some Paypal emails when trying to sell something

Excellent! Really appreciate the depth and details! Not too long or too technical. ❤

Man this is seriously needed nowadays and an absolute incredible job. Glad to be a subscriber

Excellent video! I had not realized possible fraud using extended ASCII in email addresses. In my former job, I had implemented SPF in our mail server, as per request from a major financial services client, whose spam-blocking server kept flagging our app-generated emails as fraudulent.

Interesting stuff, Joe . I managed to follow the encryption part much thanks to that I used PGP in the nineties. An encryption program built on the same principle.

E-mail security expert here! Great video! There are some things you have incorrect, those are just nuances your overall message you are trying to get out is good.

Gonna defend a paper which contains Phishing info next week, great timing for video haha

If you're a Thunderbird user, the add-on "DKIM Verifier" can run DKIM checker for you, and make it obvious if it fails or is signed by a different domain than the envelope's from address. It also has an option (disabled by default) to read Authentication-Results headers if they're available to check SPF and DMARC checks. (Apologies if this is a duplicate comment. I can't seem to find my first one, so it may have been filtered out.)

"major email clients" **ignores Thunderbird** But still a good video. Paying attention to the sender address and if other header fields match can already filter out most spam/scam mails.

Thanks!

Oh boy. Thumbs up BUT despite your hard work and detailed explanations it's all beyond my understanding. I did learn a few things though, some of them that I actually have the capacity to absorb. I know that people who really know their subject want to pass the information to their audience which results in going into overtime. It's what happens when you know your stuff. It's obvious that you know it. I have screwed up my computer in so many ways and so often (I'm in the middle of screwing up my outlook) that I don't even know how to reverse it or how to fix it, or how I got there in the first place. Although, from videos like yours I've learned to do a couple of things with questionable email. I don't open anything and I block the sender. Mine is just for home use though, and I can imagine that business computers and their email have to be scrutinized. See, I went further than I intended to as well.

Extremely helpful. The biggest thing I needed to hear was your domain could be spoofed - I didn't know that and it scared tf out of me when I saw it - I thought our account was hacked.

Just watched your video on spotting fake emails, great job ThioJoe! As a regular user of FilterBounce, I got to say, it is like owning a magician that accurately spots faulty email IDs. I have never had my bounce rate above 1%. Maybe you should consider trying it for your next video?

Quite useful information-- you have matured well beyond your original "How to make your internet connection faster" gag video, which-- for a while, at least-- did no favors for your reputation.

I personally think this is your best video that was serious.

At 8:34 "Country: Czech Republic." LOL! Of course! I think the easiest way to tell if an e-mail is legitimate or not is to simply read it. In every instance of fraudulent e-mail activity, I've noticed grammatical and/or spelling errors. This applies especially to misused or absent articles (like "a," "an," and "the") which don't necessarily make the text grammatically incorrect, but which are inconsistent with their normal and accepted use by a native speaker. That's because Eastern European languages don't use articles. When a legitimate company like eBay or Amazon sends out e-mails, these are proofread by a variety of lawyers, marketing experts, and English experts. How do I know this? For starters, I'm CZECH...

Thank you. I don’t get most of this. The steps you take us through is something I can do even if I don’t understand it. Again thank you

Now I have to explain all of this to my parents.

I just LOVE the way every single content creator on KZbin, bar none, always uses the image of a white male wearing a hoodie as the "visual definition" of a scammer.

Me at 63: I just call the suspected company on their legitimate customer service number and ask if they sent me an email.

Great video!! I am just starting learning mail service and this is really good explained. One thing BTW, at minute 26 you explain the hash verification, and I am pretty sure is: sender signs hash with sender private key, and receiver verifies with sender public key. That is usually how software binaries are verified by people who download them from open source sites. You can only verify or encrypt with the public key.

Speaking of similar looking unicode characters. It would be cool if they color coded or used bold/italics for any character outside the ascii range. For example: Standard ascii characters would just be black like it usually is and other character would have a color, like red for example. Also, it would give you a warning to let you know what it means like "NOTICE: Colored/bolded character(s) detected. Phishers may use this to their advantage.". It would help alot since I have bad vision and the examples you've shown look pretty much the same (The fake 'a' and real one).

Wow, this is very thorough, I honestly love it. Although maybe a tiny bit too much for the biggest target audience (those who easily fall for spoofed emails), but then again I don't know how else to teach avarage email users all the important safety measure.

You should include Thunderbird email client app in your testing.

Glad you made this video. I checked and two of my domain names were announcing old spf records. Thanks!

I used to work for a big organisation and colleagues did get hacked and have their emails used for scam purposes. It does happen. Always do more checks because sometimes companies are filled with technophobes who get hacked easily lol.

I got a sponsorship email from Nike a couple days ago so this is super useful!

Hey Joe: You should consider starting a security consulting business targeting corporations as clients. Robert

Good information. I've caught a lot of spoofing by looking at the email headers. Ones that I still have a question about, I'll call the company's customer service or tech support and ask if it is legitimate. One thing I found is Outlook will reveal the URL a control (like a button) is linked to by hovering over the control. Outlook will then print the URL on the status line.

Hello Thio Joe! What do you prefer: Cats or dogs iPhone or Android Spotify or Apple Music.

Thunderbird shows "reply to" in it's headers. In fact it shows everything you noted that the top popular mails apps don't. Open source wins again.

Thanks for getting rid of that bot in the previous video it was really annoying to see.

Very informative! Among so many bad videos, this is very good!

My approach is to treat each email that I receive as suspicious. This prompts me to do the security checks.

Very clear, easy-to-follow, intelligent information! I now appreciate facits of my gmail account I had no idea existed. Thank you!!

I use a open source spamfilter, I get like 97% less spam now.

I'd love to do these things, but can you leave links in the description for any tools that you've used to do this? I don't mind scrubbing through the clip, but I'm sure people would love a complete site list (in order or random).

I have an idea for a video: you should explain different types of viruses, worms, Trojans and what they are

*"Johnson! Why haven't you replied to any of the office emails?! What've you been doing all day?!!"* _"Just making sure you're not spoofing me sir."_

Thio: this video is 20+ minutes Video: 30 minutes

I used to have a website for a very small business. Thanks to this, if I do again I'll ensure standard email security is applied.

Why would they allowed to use non-ASCII characters in email address?

Thanks man!! you just saved me from a job scam! I was almost lost in finding if its legit, until I saw ur video. great work🙌

"Dear friend" in the subject line is a red flag

Been waiting for this video for so long , going to pass it to my 5 old niece , Thanks Joe

"It's a fake!" Or just use inbox filters...

Very important basic video for everyone using modern devices. Well, except for the lengthy end part filled with details about server signing.

"yes this is a 20+ minute video" the video: *30:32*

SPF - Sender Policy Framework DKIM - DomainKeys Identified Mail DMARC - Domain-based Message Authentication, Reporting & Conformance