10 things everyone must know about email

1. Email is insecure.

email-iconEven secure email programs only encrypt messages as they travel between the sender’s computer and the sender’s email server. Email transmitted from the sender’s email server to the recipient over the Internet passes unencrypted through any number of server, this happens regardless of any security configured by your or your email host – such as SSL or https.

The easiest way to understand this is by thinking of the email being transmitted through its various steps. At very best the sender and the recipient will be using SSL or https, leaving the following:

You (using SSL) -> SECURE -> Your Server -> UNSECURE -> Internet -> UNSECURE -> Recipient’s Server -> SECURE -> Recipient (using SSL)

Unless you are encrypting the actual message or attachments your email can be intercepted and read in transit.

2. You have no control over the email after you send it.

The people you send email to can forward it, post it online, or even post it on a billboard. As a rule, you should only put in writing what would pass the scrutiny of your peers or even a court of law.

3. The ‘From’ field is easily forged.

Both the ‘From’ name and email address are very easily forged.

Attackers can attempt to gain your trust by forging the ‘from’ field – misleading the recipient of the validity of the message.

4. Sending personal information over email puts you at risk for identity theft and other crimes.

NEVER send private information through email, whether you know the recipient or not. The private information could be intercepted by a third party, mishandled by the recipient or even be delivered straight into the hands of an identity thief.

If asked to send private information through email, even as an attachment politely decline and offer an alternative such as phone or fax.

Legitimate organizations are aware of email related risks and should not ask you to jeopardise the security of private information.

5. Identity thieves and other criminals use email, websites, and the names and logos of legitimate businesses to get you to give them sensitive information.

It’s easy to copy and paste logos into email, so don’t believe an email is legitimate just because they include logos of well known companies. Often, the link you see in the message does not take you where it appears to. For example, link text that says http://paypal.com may really lead to something like http://paypal.fakesite.zz/login.php and have a realistic imitation of the real site.

Emails that appears to be from a familiar and/or reputable businesses can be used to:

  1. Direct you to a website that is used to collect your account numbers and passwords
  2. Get you to reply to or attempt to unsubscribe from a service or newsletter so that they can send you more fraudulent email – replying or attempting to unsubscribe confirms for the sender that your email address is legitimate.
  3. Direct you to a website which infects your computer with malicious programs as the page is loaded. These programs can allow someone to use your computer to send spam, track key strokes to collect sensitive information, or set up repositories of inappropriate content.

7. Legitimate businesses have professional writers and editors that review emails for errors.

Typos are fairly common in email, but messages with several misspelled words, poor grammar or an unprofessional appearance are most likely not from an legitimate business and should be viewed with skepticism or simply deleted.

8. Email attachments can contain viruses and worms.

Avoid opening attachments that contain viruses by:

  1. Deleting messages and attachments from people you do not know.
  2. If you do know the sender but are concerned about the validity of the email and attachment, contact them and ask if they sent the attachment and where they got it.

For comprehensive advice on handling links and attachments see The jargon-free guide to computer and internet security.

9. Real millionaires will never offer you money via email.

If you receive an email offering to pay you to help them move millions of dollars out of a distant country, DELETE IT.

They want your bank account number and intend to use it to take your money.

10. Trust your instincts.

Most malicious emails just don’t “feel right” in some way.

If you find yourself wondering why you received a particular message, you should treat it with caution or simply delete it.