Blog

Is This Email Safe/Legitimate?

Email, just like any form of communication, is tool used for purposes both good and bad. When someone calls you on the phone and identifies themselves, you take measures to confirm their identity. It may be the sound of their voice, the caller ID, or their knowledge of a matter that only the party they identified as would know. If someone called asking you for your social security number and you weren’t sure who they were, wouldn’t you refuse to continue?

So needs to be the case with email. Email accounts are free and available to anyone. There is no verification of the identity of sender by the providers of email accounts. You, or anyone else, can go to gmail.com and set up a free email account, with any available email address, and set any display name they want. If you enter your name as Donald Trump when signing up for gmail or any other service, they’ll make no effort to confirm whether you are in-fact Donald Trump. Because of this you can never trust that an email is legitimate solely by the display name, yet, many people rely on this alone.

Would you fall for this? What if it were your spouse or manager telling you that they needed your credit card information? Looking deeper, you can see the email address. It is not one that this person would use. However, you can’t be certain even if it was their correct email address.

What Can I do?

Every single email needs to be scrutinized. Mailboxes are getting hacked into every second. Perpetrators of these attacks review the messages in the mailboxes they find and create new attacks catered to what they find. If three people are involved in a conversation and one of them gets compromised at some point in the future, the perpetrators will use the information they find in that mailbox to attack the others. They will craft emails that look like ones that do come from people you know, but will ask for information, access, or acts that benefit them.

Trust your intuition: If you have to ask the question “is this legitimate/safe?” It’s almost certainly not.

More Specifically:

  • Check the email address: While not an absolute measure, it’s a quick giveaway when you’re expecting the email to be from your workplace email system, but it’s from a free email system like Gmail or Yahoo.
  • Check the links: If an email purports to be from Apple, the relevant links should lead to Apple’s website. It’s important to check the links that lead to action. Ancillary links in the email may very well lead to pages on the impersonated sender’s website.
  • Press Reply: Emails can be redirected when you reply, if the address in your To box when replying is different than the From box, it’s possibly phishing.
  • Rely on Expectations: If the email is unusual compared to normal emails, call the sender by phone. No one is going to randomly try to share a file with you by Dropbox having never mentioned it to you previously.
  • Don’t send sensitive information by email, at all: Even if everything is safe and secure right now, some day in the future, an email you sent with sensitive information will be found in a compromised mailbox. On May 3, 2017, it was reported that roughly 1 billion gmail accounts were compromised. If an email you sent a year ago is in one of those mailboxes, a criminal organization now has access to it. It’s best to just not send sensitive information by email at all.

What Can My IT Support Service Do?

It is important to realize that as long as people have the ability to set whatever name they want on an email, they will always have an opportunity to trick you and your coworkers. The best defense is to be vigilant and suspicious. The telephone has been in use for over 100 years, and people still fall for scams through it. It will be this way for email as well. Still, there are measures that can be taken to mitigate the problem.

Prevent Contribution with an SPF Record

A Sender Policy Framework record is a public record that states the systems that are allowed to send emails as your domain. It is important that it contains the statement that any system not listed is not allowed to send as your domain. Without it, your company will be able to receive emails that look like they are from your company’s domain, when they originate outside of your email system. Additionally, the rest of the world will be able to receive emails that appear to come from you and your email address.

Don’t Give Away Your Logon Information

There are many pages that look like something they’re not. Fake bank websites, Microsoft Logins, Google Logins, Facebook logins, etc. Always check the address bar. More on this here: HTTPS Security and Verification.

Implement Transport Rules

If your email system supports it, you can create transport rules that appended or prepend warnings to your messages. A good one might be to prepend a subject with the word EXTERNAL for emails that come from the outside. This would be a good measure to prevent an outside email user from pretending to be someone within your workplace.

Using transport rules should be considered carefully. One should consider whether they could create a false sense of security. If you create a rule that identifies some emails as risky, users may believe that without that warning, the emails are completely safe.

Need Assistance?

BL Technical Services provides IT support for small businesses and nonprofit organizations. If you are facing a challenge related to email or another facet of IT, we are available. Please use our Contact Form or call us at 800-504-0512.

Leave a Reply