Introducing TRACE
You already know PUSHED — the framework for feeling an attack land on you emotionally. You’ve practiced VERIFY — the habit of confirming a message through a separate channel before you act on it. TRACE is the third beat: once you know something is suspicious, you gather the evidence and report it so the attack stops spreading to the next person.
PUSHED protects your feelings. VERIFY protects your next move. TRACE protects everyone else.
PUSHED → VERIFY → TRACE
The three frameworks line up in sequence. Each one answers a different question, and each one puts you in a different mode.
| Framework | Question | Mode |
|---|---|---|
| PUSHED | “What am I feeling?” | Emotional |
| VERIFY | “Can I confirm through a separate channel?” | Behavioral |
| TRACE | “What evidence can I gather so others don’t fall for this?” | Investigative |
PUSHED is the internal alarm. VERIFY is the action you take in the moment. TRACE is what you do after the immediate danger is handled — the part most people skip, and the part that actually dismantles attacker infrastructure.
The TRACE Framework
TRACE is five steps. Each one is a module in this course.
| Letter | Verb | What It Means |
|---|---|---|
| T | Take a snapshot | Preserve the evidence — screenshot + forward-as-attachment. |
| R | Reveal the real | Find the “View Original” button. Three lines tell you 90% of what you need. |
| A | Authenticate the sender | Did it actually come from who it claims? SPF/DKIM/DMARC in one question: pass, fail, or missing? |
| C | Check the landing | Where does the link actually go? Hover, copy, unshorten, sandbox — without clicking. |
| E | Escalate | Report properly — to IT, APWG, brand abuse mailboxes, FTC/IC3. |
T — Take a Snapshot
Before you do anything else, preserve what you’ve got. The message in front of you is a piece of evidence, and evidence disappears — mail clients auto-purge spam folders, attackers pull down domains, images stop loading, links rotate. A screenshot captures what the surface looked like. A forward-as-attachment captures the full invisible layer underneath so nothing gets stripped in transit. In Module 2, you’ll learn exactly how to capture both without tipping off the attacker or destroying the data.
R — Reveal the Real
Every mail client has a “View Original” or “View Source” button that exposes the full raw message. Most people have never clicked it. You don’t need to read the whole thing — three specific lines at the top tell you almost everything that matters. In Module 3, you’ll learn to find those lines in every major email client and drop the raw headers into a free tool that translates them into plain English.
A — Authenticate the Sender
SPF, DKIM, and DMARC are three authentication checks every email goes through during delivery. They collapse into one question you can actually use: did this message pass, fail, or have no record at all? A fail or a missing record is a loud signal, and you don’t need to understand the cryptography to read the result. In Module 4, you’ll learn to spot the pass/fail outcome and what each combination actually means.
C — Check the Landing
Every link in a phishing email has a button text and a real destination, and those two things rarely match. The trick is inspecting the destination without ever visiting it — hovering, copying, unshortening redirectors, and feeding suspicious URLs into free sandboxes that open them safely on your behalf. In Module 5, you’ll learn to trace any link to its actual endpoint without loading it in your own browser.
E — Escalate
A report only works if it lands in the right inbox with the right evidence attached. Your SOC wants one thing. APWG wants another. The brand being impersonated has its own abuse address. The FTC and IC3 exist for the consumer-facing side. Knowing which report goes where is the difference between an email that gets acted on and an email that gets ignored. In Module 6, you’ll learn which destinations matter, what to send to each, and how to write a report that actually gets used.
When to Use TRACE (and When Not To)
TRACE takes about ten minutes when you do it well. That’s a meaningful time investment, and it isn’t always the right call. Use this split to decide.
Use TRACE when:
- VERIFY confirmed the message is fake, and you want to feed evidence into the pipeline that takes down the campaign.
- You can't verify the message but it's high-risk — targeted at money, credentials, executives, or sensitive systems.
- You're the security-aware person in your org, team, or family, and others are getting similar messages. Your report is the one that kicks off a takedown.
Don't use TRACE when:
- VERIFY confirmed the message is legitimate. No evidence to gather — you're done.
- You're in immediate danger (active compromise, wire transfer in motion, credentials already entered). Delete, block, call your SOC or bank, move on. TRACE later if there's time.
- You don't have ten minutes. Jump straight to step E — forward the message to your SOC or reporting address and let someone with the time do the rest. A partial TRACE is still a contribution.
A Worked Example
You get an email that looks like a DocuSign request from a colleague, asking you to sign a contract. You feel a small nudge of urgency (PUSHED) and call the colleague on Slack to ask about it (VERIFY). They didn’t send anything. Now what?
T — Take a snapshot. You screenshot the message as it appears in your inbox, then forward it as an attachment to your SOC address so the headers survive the handoff. The evidence is preserved before you touch anything else.
R — Reveal the real. You open “Show Original” in Gmail. Three lines near the top tell you the story: the message came from a server with no relationship to DocuSign, routed through a domain registered eleven days ago.
A — Authenticate the sender. The authentication block tells you SPF failed, DKIM failed, and DMARC rejected the message. The receiving mail server knew this wasn’t really DocuSign — it let the message through anyway because your gateway doesn’t enforce hard rejection on DMARC failures.
C — Check the landing. The “Review Document” button says it points to docusign.net. When you hover it without clicking, the real URL is a lookalike on a typosquatted domain, with a tracking parameter that would have fingerprinted you on click. You drop the URL into a safe sandbox and confirm it serves a credential-harvesting page styled to look like a Microsoft 365 login.
E — Escalate. You file one report with your SOC (forward-as-attachment, with a two-line note). You file a second report with APWG so the domain lands on industry blocklists. You notify DocuSign’s abuse address because their brand is being impersonated. Ten minutes of work. One email. A campaign starts getting dismantled.
That’s the whole course, in miniature. Every module teaches one of those letters in full detail.
Your training told you to look for bad grammar to spot phishing. Modern AI generates grammatically flawless phishing. We do something different: we preserve evidence, read what a message actually carries, and report it. That's TRACE.
Key Takeaways
- TRACE is the third framework in the sequence: PUSHED (feel the attack), VERIFY (confirm through a separate channel), TRACE (gather evidence and report so others don’t fall for it).
- The five letters are Take a snapshot, Reveal the real, Authenticate the sender, Check the landing, Escalate — one module per letter, in order, for the rest of this course.
- Use TRACE when a message is confirmed fake or high-risk and you have ten minutes. Skip it when the message is legitimate, when you’re in immediate danger, or when you only have time for step E.
- Modern AI makes the surface of a phishing email flawless. TRACE works because it lives in the invisible layer — evidence the attacker can’t polish away.