The risks
Phishing emails
Phishing emails are designed by fraudsters to appear as if they have been sent by banks, credit card companies, government departments, online stores auction sites, and other trusted organisations. You can receive phishing emails either via a dedicated email client (program) such as Microsoft Outlook, or via internet-based email such as gmail, Hotmail, Yahoo! Mail or that supplied by your ISP.
Phishing emails attempt to trick you into either:
- Clicking on a link to visit a hoax but authentic-looking website which either requests confidential information or is infected with malware.
- Opening an attachment disguised as a legitimate file such as a document or .exe file, but which actually contains malware.
Phishing emails often display some of the following characteristics, but as fraudsters become smarter and use new technology, the emails may have none of these characteristics. They may even contain your business or individuals’ name and address.
- The sender’s email address may be different from the trusted organisation’s website address.
- The email may sent from a completely different address or a free webmail address.
- The email may not use your proper name, but uses a non-specific greeting such as “Dear customer.”
- It may contain misspelt words and poor grammar.
- A sense of urgency; for example the threat that unless you act immediately your account may be closed.
- A prominent website link. These can be forged or seem very similar to the proper address, but even a single character’s difference means a different website.
- A request for personal information such as username, password or bank details.
- You weren’t expecting to get an email from the organisation that appears to have sent it.
- The entire text of the email is contained within an image rather than the usual text format. The image contains an embedded link to a bogus site.
- Some phishing emails actually warn you of a virus and invite you to click on a link or open an attachment to protect yourself.
- Even an email from a trusted source may actually be a phishing email if the sender’s account has been hacked.
Avoid phishing emails
- Do not open attachments from unknown sources.
- If in doubt, contact the person or organisation the email claims to have been sent by using the phone number you know to be authentic.
- Do not readily click on links in emails from unknown sources. Instead, roll your mouse pointer over the link to reveal its true destination, displayed in the bottom left corner of your screen. Beware if this is different from what is displayed in the text of the link from the email.
- Do not respond to emails from unknown sources.
- Do not make purchases or charity donations in response to spam email.
- Do not reply to unwanted email.
- Do not unsubscribe to what you think may be phishing emails. This may in itself lead to a hoax website.
- Check junk or spam mail folders regularly in case a legitimate email gets through in error.
- If you are suspicious of an email, you can check if it is on a list of known spam and scam emails that some internet security software vendors feature on their websites.
- Most Microsoft and other email clients come with spam filtering as standard. Ensure yours is switched on.
- Most spam and junk filters can be set to allow email to be received from trusted sources, and blocked from untrusted sources.
- When choosing a webmail account such as gmail, Hotmail and Yahoo! Mail, make sure you select one that includes spam filtering and that it remains switched on.
- Most internet security packages include spam blocking. Ensure that yours is up to date and has this feature switched on.
Spam (junk) email
The vast majority of email sent every day is unsolicited spam. Many of these, rather than being designed to defraud, are sent with the intention of driving visitors to sales websites or even increasing click-through rates on competitors’ websites. Examples include:
- Advertising, for example online pharmacies, pornography, dating, gambling.
- Get rich quick and work from home schemes.
- Hoax virus warnings.
- Hoax charity appeals.
- Chain emails which encourage you to forward them to multiple contacts (often to bring ‘good luck’).
Spammers obtain lists of email addresses by:
- Using automated software.
- Enticing you to enter their details on fraudulent websites.
- Hacking into legitimate websites to gather users’ details.
- Buying them from illicit sources.
- Inviting you to click through to fraudulent websites posing as spam email cancellation services.
- By you emailing multiple recipients listed in the cc field instead of the bcc field – or forwarding emails without deleting previous senders in the string.
The very act of replying to a spam email confirms to spammers that your email address exists.
Webmail safety
- Use webmail services from well-known and trusted companies.
- Enable spam filtering or switch to a webmail provider that can do this.
- Use strong passwords to log in.
- Always log out of your webmail when you have finished emailing, instead of merely closing the window or switching off the device
- Connect to webmail only when your webmail provider has a secure connection (indicated by a padlock in the bottom right hand side of your browser window and the letters ‘https://’ at the beginning of the website address). If the connection is not secure, take care not to send email which could reveal or provide access to confidential information.
- Be wary about attachments in emails from unknown or untrusted sources. Some webmail systems automatically scan attachments for malware.
- Make sure you have reputable and suitable internet security and firewall software installed and running.
Safeguard old emails
This does not constitute a security risk, but remember that some webmail systems may delete email messages if you exceed a storage quota. If your email archive is important, consider a paid-for online storage service, or using a webmail service without these restrictions. Some webmail providers may also suspend your account if you do not access it for an extended period of time.