With its increased popularity, e-mail has become subject to a wide variety of security threats. As a result, using e-mail safely is a key part of keeping your computer and personal information safe. Unsolicited commercial e-mail (or "spam") has grown into a serious obstacle to communication and also carries the threat of identity theft, with "phishing" attacks attempting to steal banking website passwords and other valuable personal information. Viruses and worms are spread largely using e-mail, often disguised as messages from friends, family and business associates. These many threats result in an inbox that is more dangerous than ever.

Recommendations

ICT recommends that you always use caution when using e-mail. In addition, taking the following steps can help you use e-mail safely and help keep your computer and personal information safe.

1.  
   • Install the latest security patches and updates available for your e-mail client (e.g. Outlook, Thunderbird, Apple Mail, etc.). Security flaws in e-mail software can allow viruses and worms to spread automatically, without any action on your part. Security patches and updates will repair known flaws. If you use a client that is no longer supported by the vendor, you should upgrade to one that is supported so that you can keep your software up to date. If you are using a web browser to access your e-mail (e.g. PAWS webmail), make sure that it is up to date as well.

    

   • Ensure your connection for sending and receiving e-mail is encrypted, so that your username and password are protected when sent over the network. This is particularly important when connecting from over the public Internet. All newer e-mail clients have the option to turn on encryption (often called SSL or TLS). This option is sometimes found in the "Advanced Configuration" or "More Settings" area of your e-mail client. If you are using a web browser to access your e-mail, check that the website address begins with "https" instead of "http" to confirm that your connection is encrypted.

    

   • Disable the preview pane in your e-mail client. This will prevent undesirable messages from displaying automatically when you scroll past them. Just viewing a message can allow viruses to run and spam to confirm that your e-mail address is "live." Turning off your preview pane can prevent this from happening and lets you safely delete these messages without opening them.

    

   • Disable the automatic display of images in your e-mail client. Turning off automatic display of images can prevent the automatic download of malicious content.
2. Configure your e-mail client to handle messages securely.

 

2.  
   • Do not publish (or let others publish on your behalf) your personal e-mail address on publicly-viewable websites (e.g. blogs, membership lists, etc.). It is simple for spammers to automatically collect e-mail addresses from websites. If you need to publish an e-mail address for contact purposes, use a generic alias like "support@" or "info@" that forwards to your unpublished e-mail address. You will still receive spam, but it will be easier to filter it out from your other messages.

    

   • Do not click on "unsubscribe" links found in spam or reply to spam asking to be removed. This only confirms that your e-mail address is "live" and will result in more spam. Similarly, spam messages can contain embedded images that, when viewed, "call home" to confirm your address. (See 1c. and 1d above.) If you recall signing up for a mailing list from a reputable company and wish to be removed, it is probably safe to use their unsubscribe links.

    

   • Carefully read every part of the sign-up form if you need to provide an e-mail address as part of a website registration. Remember to opt out of communication you do not want to receive by checking or un-checking the appropriate box (sites operate both ways). Also ensure that you do not give permission for your address to be shared with "partners" of the site. While the site you sign up with may be reputable, there is no guarantee that all their partners will be.

    

   • Review website privacy statements when you provide your e-mail address to ensure that your personal data will not be used in ways that you do not agree with.

    

   • Consider using a secondary or "throw-away" e-mail address for website registrations. Free addresses from Google, Hotmail, etc. can be used to confirm registration if you are concerned about using your primary address.
3. Keep your e-mail address out of spammers' hands.

 

Spammers continually trade and combine lists of e-mail addresses. Because of this, once your address falls into their hands, it is essentially impossible to stop receiving spam. You can minimize the level of spam you receive by managing your e-mail address as if it were a valuable piece of personal information.

 

 

Regardless of how well you protect your e-mail address, you will almost certainly receive some amount of spam. The U of S operates a campus-wide spam filter that does a reasonable job of preventing spam from reaching your U of S e-mail inbox. Once a day it sends out a summary for each address and alias that has quarantined spam. Occasionally legitimate messages are quarantined so you should check your quarantine messages periodically to ensure that you do not miss any legitimate messages. You can release legitimate messages that have been quarantined.

3.  
   • A generic salutation, such as "Dear Customer." When con artists send out millions of phishing e-mail messages, they usually do not have your first and last name. Watch out for generic salutations, or ones that refer to you only by username, e-mail address or account number.
   • A request to "verify" your account information. Except at initial sign-up, businesses do not typically ask customers to verify their information by e-mail. An unexpected request to confirm or update account information should be viewed with a high level of suspicion.
   • E-mail that conveys a sense of urgency. Phishing scams encourage users to act without thinking by implying action is required immediately. Be wary of messages which threaten things like account closure if action is not taken within 24 or 48 hours. Ironically, some will even suggest that the response is necessary to prove your account has not already been compromised.
   • Messages containing links to a login page. HTML-formatted e-mail can hide the true destination of a link and make it appear to be a link to a legitimate site. Some e-mail clients will show you the underlying link in a pop-up window if you hold your mouse pointer over the text. If you see a suspicious address (like those described above), you can be fairly certain the link is not legitimate. The best way to be sure you are linking to the site you expect is to open your browser and type in the address yourself.
4. Do not take the bait-recognize "Phishing" scams

 

The past few years have seen the rise of a particularly dangerous type of spam, designed to trick users into revealing sensitive personal information, particularly login credentials for financial institutions and other high-value sites. So-called "phishing" scams target people with fraudulent e-mail messages claiming to be from their bank, credit card provider, or other company they trust.

 

These messages encourage people to log into a website that may at first glance, appear to be that of the legitimate company. However, they are actually logging into a fraudulent site under the control of a con artist. The site will capture any information provided (username, password, credit card number, etc.) and allows the con artist to masquerade as the person to either steal from them, or commit further crimes in their name.

 

These scams have become increasingly sophisticated, and often use graphics and text from the true website to lend an air of authenticity to the fraudulent site and e-mail. Links in the e-mail will appear to be to the valid site, but may actually direct the user to a numeric address or a site with a similar-looking domain name (e.g. www.royal-bank.ca instead of www.royalbank.ca).

 

Recognizing a phishing scam is the easiest way to avoid being caught. Look for some standard clues in any suspicious e-mail you receive:

 

 

If you are still in doubt about the legitimacy of an e-mail that you have received, telephone the customer service department of the company who supposedly sent it for confirmation.

 

Some browsers also have the ability to automatically check websites against a database of known phishing sites. If your browser includes it, using this capability provides an additional layer of protection in case you accidentally follow a phishing link. However, like viruses and spyware, there is always a delay between phishing sites being created and being added to the database. As such, you should not rely on filters to catch every attempt and should exercise good judgment when choosing whether or not to follow instructions in e-mail you have received.

4.  
   • Are from an unknown sender.
     Children are repeatedly warned about the danger of accepting gifts from strangers. Yet adults routinely ignore this advice and open attachments from people they have never heard of. When you receive an attachment from someone you do not know, ask yourself if you would trust this person to sit down in front of your computer, unsupervised, with access to all your data. If turning over control of your computer to a stranger makes you feel uneasy, so should opening an attachment from them. The file could be a virus and you could be compromising your security and privacy.

    

   • Are unexpected, even if you know the sender.
     Viruses commonly spread by sending a copy of themselves to everyone found in the address book of an infected machine. As a result, a virus can appear to come from someone you communicate with regularly. If the attachment is unexpected, seems out of character, is different from the type the person normally sends you, or is otherwise "odd," you are safer not opening it. If you are in doubt but recognize the sender, contact them to confirm the legitimacy of the message.

    

   • Sound generic or lack any personal detail.
     Messages with subject lines like "Hi, check this out" or "A funny file for you" should be viewed with suspicion. Viruses generate e-mail automatically and keep the subject or content impersonal because they do not know who you are. If the message does not sound like it was written for you personally, or is not in the style of the supposed sender, the safest course of action is to delete the message and its attachments.

    

   • Have many spelling or grammatical errors.
     Many virus authors do not have a solid command of the English language. As a result, the automatic messages their viruses create are often full of poor spelling or bad grammar. If you receive a message supposedly from a known contact, but with spelling or grammar you would not expect from them, be wary of opening any attachments-check with them first.

    

   • Have an attachment with a strange name or file type.
     If you notice that an attachment seems to have two extensions (e.g. .DOC.EXE or .JPG.SCR) you should probably delete the file. It is likely an attempt by a virus to pass off a dangerous executable file as a more legitimate file type. Some operating systems hide the last extension of a file, so .DOC.EXE may appear as .DOC instead-you still need to be wary even if the file looks normal.

    

   • Entice you to open the attachment.
     In an effort to encourage you to open an infected attachment, viruses will often exploit popular trends, stories in the news, humour, etc. Frequently, viruses claim to be pictures or video of some celebrity scandal, natural disasters, cute animals, a funny screensaver or other subjects that simply demand viewing. It is natural for people to let curiosity overcome suspicion and open these sorts of attachments. Unfortunately, "anyone else would have done the same" is small consolation to someone who has lost their data or privacy due to a virus infection. Do not let it happen to you-delete chain letters, funny stories or tempting pictures/video as soon as you receive them.
5. Avoid virus infections—handle e-mail attachments with care.

 

E-mail is more than just a text-based method of communication. E-mail also provides the ability to attach files to messages and distribute them to a wide audience. E-mail is used to collaborate with colleagues by sending documents, spreadsheets and presentations back and forth. Attachments are also used to share photos and video with family and friends.

 

Unfortunately, attachments are one of the most common ways for viruses to spread. Although up-to-date anti-virus software provides protection from most known viruses, your first line of defence should be exercising caution when handling attachments.

 

Be extremely wary of e-mail messages with attachments that:

 

Assistance

For assistance with your e-mail settings, consult with your local IT support personnel or contact the ICT Help Desk.