E-mail is one of, if not the, most unsecured technologies in use on the Internet today. Notwithstanding the employment of a Public Key Infrastructure or PKI, anyone can steal, copy, or manipulate e-mail while in transit. To make matters worse, e-mail can easily be spoofed to hide a sender’s true identity as well as the true origination point. In total, there is more privacy and security in sending a letter via the U.S. Postal Service than sending an e-mail over the Internet. A sad statement, given that the technology needed to guarantee privacy, sender identification, and origination point is readily available.
As a result of such a blatantly open and unsecured system, thieves have moved quickly to take advantage as much as possible. While their techniques can be clever, they are far from sophisticated. As a result, there are a number of simple steps to protect yourself from fraudulent e-mails and ensure that neither you or your computer can be harmed:
1. Never trust an e-mail. Unless an e-mail is encrypted and digitally signed, never trust an e-mail as it can be easily spoofed. With just a few simple scripts on any Internet accessible computer, an e-mail can be sent to your account. Malicious sender’s can make it appear that the e-mail came from anyone, anywhere. They can also direct replies to an e-mail address other than what is displayed to the user. Imagine getting an e-mail from a friend just to find out that the friend never sent the e-mail. There are ways to validate an e-mail by viewing the message headers, but even those can be spoofed. As a result, scrutinize every message in your inbox. Do not assume the message is valid. And, when replying to messages, make sure the “To” line has the correct address on it and that it is not going to a different destination.
2. Do not click links or images in an e-mail. HTML, or the basic code for the web, allows links to be associated with text, graphics, or both. Never trust what appears to be a valid URL in an e-mail. In fraudulent e-mails, the malicious sender can make the hyperlink look as if it would take you to “X” when, in fact, it would take you to “Y”. The danger in going to “Y” is that the malicious sender can make it appear as if you went to “X” and then use your interactions on “Y” to steal your identity. As a result, if you want to follow a hyperlink in an e-mail, always copy and paste the URL manually into your browser; never click on it directly. Most companies no longer embed links in their e-mail communications. Some, like Facebook, still do. No matter what, do not click that link.
3. Open attachments at your own risk. Attachments bring significant risk to a user and their data. When an attachment is opened, it is possible that the attachment contains malicious scripts or code that could harm your computer, allow an attacker to access your data, or both. As a result, assume every attachment is unsafe. If an attachment arrives in Adobe Acrobat or Adobe PDF format, it is likely safe as scripts cannot be run without a digital signature, digital signature trust, and explicit approval from the user. Overall, it is best not to open an attachment unless you both know and trust the sender. Remember, a sender’s identity can be spoofed.
4. Never respond to any message that asks for your personal information. An e-mail is fraudulent and a scam if you are ever asked for your name, address, phone number, date of birth, and e-mail address. Legitimate companies will never ask for this information by e-mail. (Plus, don’t you think they should know your e-mail address if they are sending you an e-mail?) Most companies won’t ask for this by postal mail for that matter. Put simply, if you are asked for personal information, assume it is a scam.
These basic steps will prevent anyone from using a person’s e-mail account for fraud. However, these steps won’t ensure e-mail privacy nor will it prove the identification of the sender. This is where secure e-mail or PKI comes in. When secure e-mail is used, the sender and receiver use Digital IDs so that the sender can be identified, the message encrypted for the receiver only, and tampering can be prevented. There are two beautiful parts to this technology. The first is that the encryption used for secure e-mail is just as secure as the encryption used for commercial websites. The second is that this technology is available now and works on top of the existing e-mail infrastructure on the Internet. There are a number of vendors that sell Digital IDs. However, vendors like VeriSign are recommended as they have been in the business for a long time and have a well known and established reputation. To employ secure e-mail, one need only have a valid e-mail account, an e-mail client capable of e-mail encryption (such as Microsoft Outlook), a Digital ID, and the “public” copy their recipients’ digital IDs. VeriSign’s Whitepaper on Digital IDs provides more detailed information on how Digital IDs work.
Overall, protect yourself online by following these basic steps and obtaining a Digital ID for e-mail privacy and security. By doing so, you won’t be scammed and your communications won’t be out there for the world to see and steal.
Great post!