Screenshots Done Right

A screenshot captures what the attacker wanted you to see. That’s valuable context — the logo, the layout, the tone, the specific panic-button the message is pressing — but only if you capture the right things, in the right order, with the right details still visible. A sloppy screenshot is worse than no screenshot, because it wastes a SOC analyst’s time without giving them anything to act on.

What to Capture

A useful phishing screenshot is a checklist, not an art project. Work through these in order:

1. Sender display name AND full email address — expand the From field if your client has collapsed it into just the display name. Both are needed, because the display name is what fooled you and the real address is what proves it was a fake.
2. Subject line — captured in the same frame as the sender if possible.
3. Timestamp — the date and time the message was received, visible in your client.
4. Full body — including logos, images, and formatting. If the message is long, take multiple screenshots and number them in the filename (phish-1-of-3.png, phish-2-of-3.png, etc.) so nothing gets dropped.
5. Link previews — hover over any link in the message and screenshot the URL preview that appears at the bottom of your email client or browser. This is the single most valuable thing a screenshot can capture.
6. Attachments — do NOT download them. Screenshot the attachment icon and filename as they appear in the message. The filename alone is often enough for threat intel.

What to Hide (Blur or Crop)

Your own identifying information should never leave your report. Before sending, blur or crop out:

• Your email address in the To: field (if it’s a personal account, or reveals more than your org domain)
• Your name in any salutation (“Dear Jane Doe” → blur “Jane Doe”)
• Any personal data the attacker has included in the body — account numbers, partial addresses, anything the attacker harvested from a prior breach

Most modern screenshot tools include a redaction brush. If yours doesn’t, crop the sensitive region out before you send the image.

Per-Platform Shortcuts

You don’t need a third-party app. Every major platform ships a native screenshot tool. Use the one you already have.

Platform	Shortcut	What it does
macOS	Cmd+Shift+4	Click-and-drag selection
macOS	Cmd+Shift+5	Window or full-screen capture with options
Windows	Win+Shift+S	Snipping Tool — selection, window, or freeform
iOS	Side button + Volume Up	Full screen capture
Android	Power + Volume Down	Full screen capture

On desktop, selection mode (Cmd+Shift+4 or Win+Shift+S) is almost always the right choice — it lets you frame the exact region you need without a SOC analyst having to scan your whole desktop for context.

The Link Preview Trick

Attackers rely on link text and link destination being two different things. The text might say https://login.yourbank.com — the actual destination might be https://login.y0urbank-security-check.ru/xyz123. The only way to see the truth, without clicking, is to hover.

Here’s what that looks like in practice:

This one screenshot captures the homograph domain, the redirect chain, or the obfuscated URL that the attacker spent effort trying to hide. It’s the closest thing to a confession a phishing message will ever give you. Capture it.

Key Takeaways

1. A useful screenshot shows the sender’s full email address, the subject, the timestamp, the body, and the hover-preview URL for any suspicious link.
2. Blur or crop your own identifying information before sending the image — the SOC doesn’t need it.
3. Every major platform has a native screenshot shortcut; use it instead of installing something new.
4. The hover-preview screenshot is the single most valuable image in a phishing report — it captures the real link destination the attacker tried to disguise.