New 'How Email World Works' list has phisher-foiling advice

Earlier this month, at least two phishing scams tried to trick UC Davis email account users into disclosing their user names and passwords. This week, IET coincidentally released "10 Things Everybody Should Know about How the Email World Works." The list was already being assembled before the attempted scams occurred, but they make the advice especially timely.

Some of the information will feel familiar or obvious, such as "Real millionaires will never offer you money via email." Other information might be new to casual users, such as how easy it is to forge "from" addresses in email messages.

Phishers send emails that seem to come from a reputable sender, and hope the recipient will be tricked into writing back with personal or account information. The phisher can use that information to steal money or churn out spam.

Here's the new list, which has also been posted on the campus email Web site:

10 Things Everybody Should Know about How the Email World Works

  1. Email is insecure.
    Even secure email programs only encrypt messages as they travel between the sender's computer and the sender's email server. Email transmitted from the sender's email server to the recipient over the Internet passes unencrypted through any number of servers. Unless you are using a special program to encrypt your email messages (such as PGP), your email can be intercepted and read in transit.

  2. You have no control over a message after you send it.
    The people you send email to can forward it, post it online, or even post it on a billboard. As a rule, you should never include information in an email that you would not want the world to see.

  3. < li style="line-height=20px;">"From" addresses in email messages are easily forged.
    Attackers attempt to gain your trust by forging From lines. Two ways to tell if a message is forged are:
  • If part of the From line reads "IT Express" but the address in brackets is "nobodyyouknow@somewherefaraway.com," then the message is a fake.
  • If the From address is not particularly suspicious, click on "Reply." If the Reply-to address seems unrelated to the From address, then the message is probably fake.

  • Sending personal information over email puts you at risk for identity theft and other crimes.
    Passwords, Social Security numbers, credit card information and financial account access codes are for your private use. Email messages that request sensitive information are most likely from someone intending to use the information to commit fraud or other crimes. Legitimate organizations are aware of email-related risks and should not ask you to jeopardize the security of sensitive information.

  • Identity thieves and other criminals use email, Web sites, and the names and logos of legitimate businesses to get you to give them sensitive information.
    It's easy to copy and paste logos into email, so don't believe an email is legitimate just because they include logos of well-known companies. Often, the link you see in the message does not take you where it appears to. For example, link text that says http://paypal.com may really lead to something like "http://paypal.fakesite.zz/login.php" and present a realistic imitation of the real site.

  • Curb your curiosity. If you get an email about "your account" from a company you don't do business with, don't click on any links in the message.
    In some cases, the sender wants to get you to a Web site that they use to c ollect account numbers and passwords. In other cases, their goal is simply to get you to their Web site, which infects your computer with malicious programs as the page is loaded. These programs can allow someone to use your computer to send spam, track keystrokes to collect sensitive information, or set up repositories of inappropriate content.

  • Legitimate businesses have professional writers and editors who review email messages to customers for errors.
    Typos are fairly common in email, but messages with several misspelled words, poor grammar or an unprofessional appearance are most likely not from a legitimate business and should be viewed with skepticism and/or simply deleted.

  • Email attachments can contain viruses and worms.
    To avoid opening attachments that contain viruses:
    • Delete messages and attachments from people you don't know.
    • If you do know the sender, contact them (but do not reply to the message you suspect) and ask if they sent the attachment and where they got it.
    • For comprehensive advice on handling email with attachments, see the CERT Home Computer Security page.

  • Real millionaires will never offer you money via email, so cultivate a healthy skepticism.
    It's nice to feel trusted, but if you receive an email from someone you don't know who claims to have gotten your name from someone they don't specify and offers to pay you 10 percent to help them move millions of dollars out of a distant country, DELETE IT. They want your bank account number and intend to use it to take your money.

  • Hone your instincts, then trust them.
    Most malicious email has characteristics that are "off" in some way. If yo u wonder why you received a particular message, treat it with caution.

  • For more information related to many of these topics, see Cyber-safety Basics: Security for Everyone.