Lesson 2.1

The Delete Mistake

10 minutes

Most people’s first instinct when they spot a phishing message is to delete it. It feels safe. It feels decisive. It’s also the single action that destroys the only copy of the evidence — and once it’s gone, no one gets it back.

Deleting is the mistake.

We spent a whole module explaining why your report matters. None of that works if the report arrives empty. The moment you hit delete, the full header block — the server-by-server chain that tells a SOC where the message actually originated — is gone. The original HTML, with its real link destinations sitting one hover away, is gone. The Message-ID that would let a SOC correlate your report with fifty others from the same campaign is gone. You can’t report what you don’t have. You can’t warn coworkers about a message you can’t produce. And the attacker’s campaign keeps running because no one submitted the evidence that would have shut it down.

Modern AI makes fakes look perfect, which means the old “spot and delete” instinct isn’t just outdated — it’s actively harmful. A convincing fake is exactly the fake that needs to be preserved.

Treat a suspicious message like a crime scene photo, not a spider in your house. You don't stomp on evidence.

What Gets Lost When You Delete

Hitting delete doesn’t just hide the message from your inbox. It destroys the layers underneath the surface — the same layers you spent Module 1 learning about. Specifically:

  • Full email headers — the server-by-server relay chain that shows where the message really originated
  • Authentication results — the SPF, DKIM, and DMARC signatures that reveal whether the sender was spoofed
  • Original HTML with real link destinations — once the message is gone, hovering to see where a link really points is impossible
  • Message-ID — the unique identifier that lets a SOC correlate your report with other reports of the same campaign
  • Attachments (if any) — the actual payload, which is the most valuable artifact for threat intelligence

Every one of those is recoverable for as long as the message sits in your inbox. None of them are recoverable once it’s gone.

The Reframe: Preserve First, Decide Second

The order matters. The T in TRACE — Take a Snapshot — comes before any decision about what to do with the message, because every other option stays open as long as the evidence is intact. Preserve first. Report second. Delete third, if at all.

You can always delete a message after you’ve captured it. You can’t undelete one. The cost of preserving a message you later decide to throw away is zero. The cost of deleting a message you later wish you’d kept is the entire investigation.

Two Tools, Two Jobs

The next two lessons teach the two preservation tools, and they’re not interchangeable. You need both.

  • Screenshot = what you see. The surface evidence: the sender display name, the subject, the body, the formatting the attacker designed to manipulate you.
  • Forward-as-attachment = what the email actually carries. The invisible layer: the full headers, the authentication results, the raw HTML, the Message-ID.

A screenshot alone is testimony without a crime scene. A forwarded attachment alone is a crime scene without a narrator. A complete report has both.

You were told to "just delete it." That leaves nothing for IT to work with — and nothing for the next person who gets the same message.

Key Takeaways

  1. Deleting a phishing email destroys the headers, authentication results, link destinations, and Message-ID — none of which are recoverable.
  2. Preserve first, decide second. You can always delete a captured message; you can never undelete one.
  3. The TRACE order exists for a reason: every step after T depends on the evidence T preserves.
  4. A complete report needs two artifacts — a screenshot (surface) and a forwarded attachment (hidden layer). Either one alone is half a report.