Besides the general rules (using anti-virus software, anti-spyware and firewall, updating operating system and third party applications and so on) there are some particular guidelines for e-mail security.
Use e-mail auto-replies with caution. Auto-replies may confirm to spammers that your e-mail address is valid and active. They also inform thieves that you are not home.
Double-check in order to confirm information you received via e-mail. Verify links, verify authenticity of information and sender, by referring to sources other than the respective e-mail. Copying and pasting into Google search bar the subject or some text from a suspicious e-mail might do the trick by listing forum discussions and articles about that and confirming it as a scam or hoax. Be wary of unsolicited messages promising wealth, alerting, scaring, intimidating or tempting you into clicking a link or transferring money, messages from someone in distress who strangely did not have any other way of contacting you but via e-mail and so on.
Mark spam messages. Most web based e-mail services use black lists for spammers and automatically redirect spam messages into the Spam folder. You can also “teach” your e-mail service to mark as spam a suspicious message that arrived into your Inbox, by flagging it as spam – that address will not bother you again.
Use e-mail forwarding with caution. Look for the signs of e-mail scams and hoaxes that beg for forwarding: SHOUTING (writing in capital letters means you’re shouting and is not a polite thing to do in Internet etiquette), multiple exclamation marks, chain letters (“forward it to 70 people or else you’ll have bad luck for seven years”). Indiscriminately forwarding e-mail messages increases spam activity.
Use caution when responding to e-mails. Avoid responding to spammers, scammers and hoax messages by trying to identify them as such. Internet just seems more complicated, in reality there are still people behind Internet interactions. If you know your friends and acquaintances, then you can tell if they would be in Nigeria asking you for money because they have been robbed, or it’s just a scam. Confirm information by copying and pasting the e-mail subject or small portions of text in a search engine – usually the search results will reveal a lot of people and IT experts talking about the respective spam, malware or hoax and confirming it as such.
Writing e-mails. Respect Internet etiquette (no SHOUTING and so on), write meaningful subject lines, basically express yourself as you would in real life but keep in mind the slight differences between online and offline communication. Avoid attaching or forwarding strange or suspicious files (some servers do not accept .exe attachments), stick with plain text if the message doesn’t specifically require other content.
Keep track of your newsletter subscriptions. Keep the Welcome messages you received when subscribing to a newsletter and place them in a designated folder. These messages contain information that you might need later on (including how to unsubscribe) and help you identify the newsletters as solicited e-mail.
Test your e-mail security. If you are using an e-mail account on your own Internet domain, there are various online services that test e-mail security and inform you about the glitches and vulnerabilities they found. It is a good idea to do so, since e-mail is a common gate for spam, malware and scamming attempts. Here are some of the most popular e-mail security tests online:
Learn how to identify phishing e-mails. E-mail is not a secure way of sharing sensitive information – most e-mails are not encrypted. For security reasons, businesses you are registered with (especially IT Security services) will never ask to e-mail such information.
- Look at the sender. Have you given your e-mail address to that company before? Did you establish a communication with it (registered account, newsletter subscription and so on). Do you know the sender? If you do, is there anything out of place with the e-mail content? Look for inconsistencies between e-mail sender, recipients, subject line, message body, message purpose and links. Why would the sender who does not know you personally ask for confidentiality?
- Look for spelling errors, grammar and tone of the message. Is it the appropriate approach a legitimate business would use? Generally look for anything out of place.
- Look at the links within the e-mail. Double-check them without clicking on them and look for typo-squatting. Check the authenticity of the links. Even if they look like an anonymous “Click Here” or like a seemingly legitimate “https://www.paypal.com/cgi-bin/webscr?cmd=_login-run” – what you see on the screen is just the HTML description of the link and it can be made to look like anything the writer wants. Hover your mouse over the link or copy link address (right click option in most browsers) and paste it in a plain text document and analyse it carefully. This is the real link behind the “Click here” or apparently legitimate login link you see in the e-mail message. Is it a domain you recognize? Does it contain strange characters or numbers/IP addresses?
Understand domain names. Are the dots where they should be? Example: the domain is the name that comes immediately before the .com/.org/.edu/.info and so on; anything other than the known domain name should not be there. If the domain name of your bank is bank.com, then it should not contain any additional slashes, underscores, numbers or letters. These are examples of phishing links for bank.com: [email protected], www.bank-com.com, www.bankcom.com, www.bank.com.online.to, www.bank.securebank.com (in these cases, the domains are online.to and securebank.com, and it is there that the link goes). The legitimate domain name of bank.com should always end in bank.com.
Understand subdomain names. What sometimes appears before a domain (such as bank.com) is called a subdomain and should not be mistaken for a domain: the subdomain “secure” in secure.bank.com goes to bank.com domain, while the subdomain “bank” in bank.secure.com belongs to secure.com domain. So clicking on the first link takes you to the bank.com domain, while clicking on the second take you to the secure.com domain. In addition, some browsers bold the domain names it in the address bar making it easier to identify them. As a general rule, don’t use links in e-mails to login to your online bank account or any other account for that matter. Instead, type the web address in the address bar of the browser yourself and login from there.
Look at the content. Does it sound too good to be true? Are you asked to pay a reasonable amount of money in order to receive much more? Are you asked to urgently pay money or provide sensitive personal information (credit card, account details, passwords and so on) even if it seems it’s for all the good reasons (“We’re your bank and need you to update your details”, “I’m a friend in distress and I need you to transfer me money”)? Does it look like you won a free screensaver in a contest you never enrolled to, or because you were the 1.000.000th visitor of a website? Double check in other ways than replying to the e-mail (phone, manually entering the address of your real bank in the browser’s address line and log-in there to verify if the bank issued some security alert – and find out it didn’t).