1. Email is insecure.
Even secure email programs only encrypt messages as they travel between the sender’s computer and the sender’s email server. Email transmitted from the sender’s email server to the recipient over the Internet passes unencrypted through any number of server, this happens regardless of any security configured by your or your email host – such as SSL or https.
The easiest way to understand this is by thinking of the email being transmitted through its various steps. At very best the sender and the recipient will be using SSL or https, leaving the following:
You (using SSL) -> SECURE -> Your Server -> UNSECURE -> Internet -> UNSECURE -> Recipient’s Server -> SECURE -> Recipient (using SSL)
Unless you are encrypting the actual message or attachments your email can be intercepted and read in transit.
2. You have no control over the email after you send it.
The people you send email to can forward it, post it online, or even post it on a billboard. As a rule, you should only put in writing what would pass the scrutiny of your peers or even a court of law.
3. The ‘From’ field is easily forged.
Both the ‘From’ name and email address are very easily forged.
Attackers can attempt to gain your trust by forging the ‘from’ field – misleading the recipient of the validity of the message.
4. Sending personal information over email puts you at risk for identity theft and other crimes.
NEVER send private information through email, whether you know the recipient or not. The private information could be intercepted by a third party, mishandled by the recipient or even be delivered straight into the hands of an identity thief.
If asked to send private information through email, even as an attachment politely decline and offer an alternative such as phone or fax.
Legitimate organizations are aware of email related risks and should not ask you to jeopardise the security of private information.
5. Identity thieves and other criminals use email, websites, and the names and logos of legitimate businesses to get you to give them sensitive information.
It’s easy to copy and paste logos into email, so don’t believe an email is legitimate just because they include logos of well known companies. Often, the link you see in the message does not take you where it appears to. For example, link text that says http://paypal.com may really lead to something like http://paypal.fakesite.zz/login.php and present a realistic imitation of the real site.
6. Curb your curiosity. Don’t click on any links in email messages from business you don’t do business with.
Emails that appears to be from a familiar and/or reputable businesses can be used to:
- Direct you to a website that is used to collect your account numbers and passwords
- Get you to reply to or attempt to unsubscribe from a service or newsletter so that they can send you more fraudulent email – replying or attempting to unsubscribe confirms for the sender that your email address is legitimate.
- Direct you to a website which infects your computer with malicious programs as the page is loaded. These programs can allow someone to use your computer to send spam, track key strokes to collect sensitive information, or set up repositories of inappropriate content.
7. Legitimate businesses have professional writers and editors that review email messages to customers for errors.
Typos are fairly common in email, but messages with several misspelled words, poor grammar or an unprofessional appearance are most likely not from an legitimate business and should be viewed with skepticism and/or simply deleted.
8. Email attachments can contain viruses and worms.
To avoid opening attachments that contain viruses:
- Delete messages and attachments from people you do not know.
- If you do know the sender but are concerned about the validity of the email and attachment, contact them (but not a reply to the suspect one) and ask if they sent the attachment and where they got it.
For comprehensive advice on handling email with attachments, see the following section of the CERT Home Computer Security page:
9. Real millionaires will never offer you money via email.
It’s nice to feel trusted, but if you receive an email from someone you don’t know who claims to have gotten your name from someone they don’t specify and offers to pay you 10% to help them move millions of dollars out of a distant country, DELETE IT. They want your bank account number and intend to use it to take your money.
10. Hone your instincts then trust them.
Most malicious email has characteristics that are “off” in some way. If you find yourself wondering why you received a particular message, you should treat it with caution or simply delete it.