Email Security - Many times, perhaps most of the time, the first step in a company getting hacked is an email message.

ChampSumo

Email:

You never know who sent an email message, so think twice before acting on a single message. It is relatively simple to forge an email’s FROM address. Don’t do anything involving money, passwords, or personal information based on a single bad email message. Techies can examine hidden email headers to determine who sent a message, but this is not a skill taught in nerd school. If you know how to display an email message’s header, you can copy/paste it into https://www.iplocation.net/trace-email, which will parse the header and tell you the sending/source IP address, country, ISP, and organization. MxToolbox’s Email Header Analyzer is a similar tool. It might be useful.

In light of the foregoing, victims may believe that an email was legitimate if it knew something about them. However, because our personal information has been leaked numerous times, including information about you specifically is no guarantee that the sender is who they claim to be or that the message is legitimate.

It is natural to believe that when you respond to an email message, the reply is sent to the person who sent the message. Yes, this is true almost all of the time - but not always. Internet email has a rarely used ReplyTo feature that allows the sender to specify an email address to which replies should be sent. A message sent from DonaldDuck@gmail.com may be redirected to DonaldDuck@hotmail.com, DonaldDuck@aol.com, or DonaldDuck@anyfreeservice.com. The ReplyTo address can be anything, but using the sender’s name while changing the domain increases the likelihood that the scam will go unnoticed. When the ReplyTo field is combined with a spoofed sender email address, a victim can be duped into continuing a conversation with bad guys. Your email software may or may not display the ReplyTo field. Gmail conceals the ReplyTo address until you respond.

Links:

Email and web page links are difficult to understand. Unless you are a techie, it can be difficult to predict where you will end up after clicking on a link. If an email contains a link to a service login page, DO NOT CLICK IT. Go to the service’s website on your own and log in.

The inclusion of official logos and images in an email message does not imply legitimacy. See Dealing with Fake Emails and How to Spot Suspicious Emails ‘Ask Leo,’ which looks for telltale signs in a scam email message.

The more urgent the request to act, the more likely the message is a scam. The bad guys don’t want you to have time to think about it or consult with others.

Email passwords are more important than many people realize. In that case, ensure that it is at least 12 characters long and that you do not reuse the password. If you use password manager software, do not store your email password in it. Instead, write it down.

When bad actors discover your email password, they are likely to send scam emails to everyone in your address book. Consider having both your own email address and a secondary one that also belongs to you in your email address book so that you can see these messages as soon as possible.

Terminology:

“Phishing” is slang for “scam.” A phishing email deceives you about something. “Spear Phishing” is a scam that is specifically designed for you. The bad guys will have researched you and will use the information about you as part of the lure in their scam in a spear phish. For example, they could learn who handles money transfers in a company, then pose as the boss and order a bogus money transfer.

Attachments to emails:

Word documents, spreadsheets, and PDF files are frequently infected with malware. Any file attached to an email message should be opened on a Chromebook in Guest mode. The next most secure option is to launch it on an iOS device. Google Drive is the third most secure environment (hopefully from a Chromebook or an iOS device). Upload the attachment to Google Drive and then open it from there. Windows is the least secure environment for dealing with email attachments. If you must use Windows or macOS, download the attached file and go to VirusTotal.com to scan it with a variety of anti-virus software before opening it. Any attached file can be hazardous.

Email Security:

ProtonMail and Tutanota are the only two companies that I am aware of that provide this service. Neither company has access to your email while it is on their servers. Messages sent between customers are also kept private from prying eyes. Email sent from one company to another can be secure or not, but it is a very different type of security. I

If you use webmail, you should have a backup of your contacts/address book on your computer. Go to contacts.google.com and look for “Export” in the left side vertical column for Gmail. Google provides three backup file formats; it can’t hurt to make three backups, one in each format. Make a note to backup your data every few months.

An email with a password-protected attachment and the password in the email message’s body is almost certainly malicious. This is a technique used by bad guys to prevent anti-virus software from detecting malicious software. You can still become infected with a virus if you try to open an attached file on Windows and it fails to open.

A scam email will ask you to log in to read an encrypted message.

REPORTING:

Emails posing as from a trusted organization in order to steal passwords or other personal information can be reported to Cisco PhishTank, SpamCop, and the Anti-Phishing Working Group. It is necessary to register. SpamCop can also be used to report any and all SPAM. Sophos is also willing to accept SPAM and malicious emails. If you received the scam via Hotmail or Outlook, please report it to abuse@outlook.com. If the scam originated in Gmail, please report it to abuse@gmail.com.

USE MANY EMAIL ADDRESSES.

This is significant. Far too many systems use an email address as their unique identifier, so when one system is compromised, bad actors are halfway to gaining access to your other accounts. Having multiple email addresses prevents you from putting all of your eggs in one basket and, depending on how you do it, can increase your privacy by concealing your true email address. The ultimate goal of Defensive Computing is to use a unique email address for each service that requires one. Of course, no one wants to check multiple inboxes, and there are several ways to configure this so that all of your emails end up in one inbox. Multiple email addresses also help to confirm the legitimacy of an email message. If you receive an email from your power company warning that your power will be turned off if you do not pay immediately, and it was not sent to the email address you use only with the power company, it is clearly a forgery.

If you have an email account with a recovery email address (Gmail does this), you should check that the recovery email address is still valid on a regular basis (yearly?). It is used for things like password resets.

Taking a step back, it appears to me that we are living in a period similar to the one before seat belts were mandated in automobiles. The current standard of reading email on a computer with sensitive or important files (or LAN access to such files) is far too dangerous. You’re doing it wrong if you’re not reading email on a Chromebook or an iOS device. Using any other operating system in a corporate environment means job security for the IT department and the various security firms they employ. This is coming from someone who does not work in corporate IT.