What is the best way to respond to phishing emails sent from a government domain?

It is likely that the from header has been forged. I get emails from fake .govs quite often, mostly they end up in my spam filter. The hyperlink within is either unique, allowing tracking, or just delivers malware. Most of the time I just ignore these.

If you believe that the header is not forged then you can typically contact the agency by Googling their name and Webmaster or Contact Us or other such things. Do not use the phishing email, it is almost certainly fake.


You should respond to phishing from .gov addresses the same way you respond to any other sort of phishing - you don't.

Don't reply to the e-mail, don't click links, don't open attachments, don't do anything the e-mail asks you to do.

If you really want to be generous, check the WHOIS records for the domain the message claims to come from. That may have information on where to send abuse reports. You can also check the government agency's homepage for a technical contact address.

If those don't help, and you don't mind taking a shot in the dark, you could throw a message to abuse@ or spam@ on the domain the mail claims to be from. These are common accounts used by incident response teams in many organizations for exactly this purpose.

If you do find a point of contact, remember to forward the message as an attachment - not just inline. This allows the response team to see the message headers and gather additional metadata that wouldn't otherwise be available.

Be careful in what you claim though. As others have mentioned, it's very possible the message did not even originate from the domain in which you think it did. Simply state that you received the suspicious e-mail, and it appears that it came from their domain. Let them work out whether it actually did, and to what level (if any) their accounts/systems are actually compromised.


I'd like to let the agencies involved know that they have compromised accounts

This is not likely to be true.

Unencrypted, unsigned email is not a secure system; it's based on data that the mail client provides. That data is assumed to be accurate. This design allows an attacker to forge the header data (in this case the From header), and the recipient's email client will assume that data is authoritative.

Therefore, it is less likely that the agencies have compromised accounts, and more likely that the person who sent those phishing emails set the From header to a government mail address and hoped the recipient was gullible enough to believe it.