Safer Email

CISO-in-a-Box CISO-in-a-Box

Today let's think about how to be safer using the oldest internet application still in common use: email. Email predates the Web by about twenty years. So when young people accuse it of being “for old folks” (meaning, people like me) I have to admit they may have a point. But email is still far and away the best mode of communication for business correspondence, and for the exchange of personal messages longer than 160 characters.

Long before the web, but shortly after the creation of email itself, spam was born. In addition to being annoying, spam can create some information safety issues. So there are two main things I want you to remember when seeing spam in your inbox: use the spam you get to better train your filter, and never click on any links nor open any file attachments.

All modern webmail clients have built-in spam filtering. Personally, I use Gmail to read my mail, even mail from other domains (such as safer-computing.com). The benefit of using an established webmail system as your mail reader is that the provider’s spam filters have been exposed to billions and billions of emails, and so they are very well-tuned for a low rate of both false positives (when the filter puts a valid email in the spam folder) and false negatives (when it delivers actual spam to your inbox). The less of either, the happier you are with the result.

You train spam filters by identifying both false positives and false negatives for it. For example, in Gmail, there is a “Report Spam” menu option or button in every non-spam folder and a “Not Spam” button in the spam folder. You should make use of these whenever possible. That means occasionally visiting the spam folder to look for those false positives. The more you do this, the less it will be necessary - because the filters adjust their criteria better to the kind of email you get and even to your subjective tastes about what is and is not spam.

One notable subset of spam you always want to be excluded from are the scams. Disney vacations, prizes in lotteries (that you don’t remember entering), gift cards and many more unbelievable windfalls show up in your mailbox by the hundreds each month. As you no doubt know, these are nothing but scams to get your personal information or attempt to extract redemption fees to claim these imaginary prizes. Mark them all as spam. And of course, there really is no dead Nigerian prince whose family lawyer wants to pay you 20% of $1.6 billion to help them expatriate the money. The only thing that you will get for responding to these is an escalating series of demands for fees to cover the assorted (made-up) mechanics of moving the (imaginary) money and finally (never) paying you. Sending these emails is a crime, and you can report it to the FBI at https://www.ic3.gov/complaint/

Phinally, phishing. Phishing is the sending of emails carefully crafted to look like they come from a legitimate organization, such as a bank, a government agency like Social Security or the IRS, or an employer. The typical phishing email will have a message designed to create some sense of urgency, and links crafted to resemble the links to the legitimate website being spoofed. For example, the email may alert you to a credit card fraud attempt, and the links embedded go to chasebank.com (for example). The problem here is, Chase Bank’s website is really at chase.com. When you go to chasebank.com, which was created by the scammers, you will indeed find the familiar login screen and so on. When you log in through this screen, you will land on the familiar opening screen of chase.com. However, because you logged in through the scammers’ fake page, they’ve snagged a copy of your ID and password in the process. It is easy to do that and then pass your valid credentials along to the real site, so your experience is the same as usual. The fake login page looks very real because the scammers can easily go to the public pages of the real chase.com and grab copies of all the graphics, fonts, content, style sheets and even a fair amount of the programming code needed to make certain pages look and work the way the real ones do. The result is a presentation that even professionals will have a hard time distinguishing from the real thing. It sounds like a lot of work but it pays very well. One single phishing attack in April netted $495K from a Michigan investment firm. And any given phishing email can go to millions of users at a time.

The lesson here is, never click on links in emails, unless the senders are personally known to you, or for things like password resets that you know you initiated within the past few minutes. Certainly, for financial and government services, you should navigate to their websites by way of known links you have previously saved as bookmarks or stored in secure password-manager records. If you use a search engine to make initial contact with an agency or company, make sure that you skip past the sponsored links and click only on the most relevant non-sponsored one. Phishing emails, like all scams, should be reported to the FBI at https://www.ic3.gov/complaint/.

Whether it’s spam or phishing when an email arrives that “wants” you to click on its links, leave it wanting. Especially, never click on “unsubscribe” links in spam email. Doing that simply confirms for the spammers not only is your email address valid, but you actually read their email. They will reward this by showering you with much love. And spam. Well, mostly spam.

This article was updated on 2023-05-13 06:50:49

CISO-in-a-Box

Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium. 

You should also read: