diff --git a/lib/jwt/decode.rb b/lib/jwt/decode.rb
index c44f755f..784f6719 100644
--- a/lib/jwt/decode.rb
+++ b/lib/jwt/decode.rb
@@ -33,12 +33,12 @@ def decode_segments
     private
 
     def verify_signature
-      @key = find_key(&@keyfinder) if @keyfinder
-      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
-
       raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
       raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
 
+      @key = find_key(&@keyfinder) if @keyfinder
+      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+
       Signature.verify(header['alg'], @key, signing_input, @signature)
     end
 
diff --git a/spec/jwt_spec.rb b/spec/jwt_spec.rb
index 0fd5e64b..0941f2c4 100644
--- a/spec/jwt_spec.rb
+++ b/spec/jwt_spec.rb
@@ -299,6 +299,16 @@
         end.not_to raise_error
       end
 
+      it 'should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call' do
+        token = JWT.encode payload, data[:rsa_private], 'RS256'
+
+        expect do
+          JWT.decode(token, nil, true, { algorithms: ['RS384'] }) do |_,_|
+            # unsuccessful keyfinder public key network call here
+          end
+        end.to raise_error JWT::IncorrectAlgorithm
+      end
+
       it 'should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm' do
         token = JWT.encode payload, data[:secret], 'HS512'