Email security starts with making sure you don’t accidentally download malware or unwittingly give away your personal information.
There are basically two kinds of unscrupulous emails. The first involves emails that seek to get you to do something that will trigger a malicious action, like run a program or open a document. These have been around forever. The most famous malicious attachment was probably Melissa, which you probably remember if you worked in an office when it hit in 1999.
Melissa was a virus, which meant its goal was to propagate itself. People using Microsoft Outlook received infected messages telling them a document they asked for was attached. When they opened that document, it triggered the virus to grab the first 50 email addresses in the user’s Outlook email address book and send copies of the same email to them, and so on and so on. Some corporate email networks had to shut down until the virus was under control.
The second, more recent kind of malicious emails rely on phishing. Phishing is all about getting your personal information.
Phishing plays on both trust and fear. Phishing emails purport to be from an someone or something you are familiar with, like your bank, and they often demand you take immediate action because something bad has happened, such as a data breach. The hope is that you will be worried enough to do it.
If you are trying to be vigilant (without going overboard and being suspicious of everything that comes your way) there are a few key characteristics of risky emails to keep in mind.
Unspecific and Unverifiable
Is it ostensibly from your bank but addressed “Dear Customer” or with another generic greeting? Are you unable to determine what the email might be about because it only makes vague references to “your business” or “your account”? Is the signature lacking in details, such as missing the last name or a job title? These should raise red flags.
If the email purports to be from a company or organization but contains no way to contact them other than replying to the email, don’t reply. If you feel like you absolutely have to contact the organization, use Google to find the phone number. No reputable entity has only one way to contact it.
Is the email pegged to a recent high-profile news story, such as ebola? Was there just an earthquake and you received an unsolicited email from a charity you have never heard of? Check a resource like Charity Navigator to see if it is legitimate. Natural disasters are also prime time for fraudulent email schemes. Snopes keeps a running list of real and fake charities, though it is unclear how often that list is updated. However, you can always just search Snopes to see if your latest urgent email is actually just the latest email scam.
Some emails are designed to be personally, rather than globally, alarming. Who wouldn’t be a bit disturbed by an email from the IRS that says you owe money? However, the IRS will never contact you (about your refund or anything else that requires your personal information) in this fashion. The same is true for problems with your enrollment in a health care exchange or being in trouble about jury duty. The government generally does not email you, period, and it will certainly not email you to threaten you with some sort of legal or administrative action. That’s what the mail is for.
Requests for Personal Information
No reputable organization with which you already do business will email you and ask for your personal information. Not the government, not your bank, not eBay. Do not answer an email that asks for that information.
In the event one of the services you use is compromised, such as the recent release of 117 million LinkedIn emails and passwords from a 2012 breach, the service may send you an email. However, that legitimate email will never include a link. It will warn you of the breach and tell you to go log in and change your information over at the site.
Requests to Take Action.
Similarly, beware emails that ask you to click a link if that link is related to your personal or login information. It’s just fine to click through the latest Brooks Brothers email advertisement because all that will happen is you will land at Brooks Brothers’ home page or find a particularly handsome sweater or something similar. On the other hand, if the email gives you a link that you are supposed to click to change or access your specific personal information, don’t. You can change that information directly on the site while you purchase said handsome sweater.
Requests to Download Something
This is a bit harder to remain fully vigilant against. It is common practice to tell people never to click on any .exe file they may receive by email. An .exe file is a Windows Executable file. It tells Windows to execute some sort of action, such as running a script or installing a program. Once you click the file, the virus figures out a way to spread itself or wreck your individual machine.
If you work in a large office where you have an IT department manage your email, you may be blocked from receiving emails with .exe attachments so no one can inadvertently become Patient Zero for your firm. It is pretty easy to make a rule of thumb that no one send programs as email attachments, since it is also impractical in many cases. However, malicious code can lurk in other files. The Melissa attachment, for example, was a Microsoft Word document.
Here, some common sense about the sender is what comes in handy. If you have received a file from someone you don’t know and have no dealings with, don’t open the file. If it appears to be from someone in your address book, call or email them and ask if they’ve recently sent you a file. True, it’s clunky, but it’s far less embarrassing than being the person that brings your entire network down. To combat both these and the phishing techniques above, it is far better to be safe than sorry.