There is perhaps no more vital online service or piece of software than email, which is probably why everyone—from IT administrators to everyday end-users—loses their minds when email breaks down. It’s also why email remains one of the preferred targets for hackers, and why email security is such a high priority for system admins.
Below are four things all IT admins should teach their users about email security.
Don’t act on mail content from people you don’t know
Here’s a funny thing about email—I can send you an email even if I don’t “know” your email address. Once a hacker (or a shady marketer) finds an email from anyone at your company, odds are they can figure out how email accounts are “named” where you work.
For example, if someone gets ahold of an email from your sales manager John Doe, and his email is firstname.lastname@example.org, it’s pretty obvious that your company uses “first initial, last name” as the naming system for its email accounts. From there, hackers can guess the email of anyone they know (or suspect) works at your company.
The worst thing you can do is confirm those guesses.
If you reply to a suspicious email, the hacker knows the email address works. If you open any attachment, or click on any link, or even download any image included in a strange email—because lots of good mail programs block the images that are included in emails, and you have to “click here to download images”—the hacker now knows that this email address is real and that there’s a person they can hack (or con) on the other end.
It’s perfectly okay to open an email from someone you don’t know, and it’s perfectly safe to read it. But unless you’re really sure that the email is legitimate, don’t act on it. Don’t reply, don’t click, don’t download. To do otherwise is to make yourself a target.
Don’t open attachments you haven’t scanned
Okay, let’s say you’re pretty certain the email you just received is legitimate, and it has an attachment included with the email that you want to open. You need to scan the attachment first.
Your computer has an antivirus scanner on it. (Or, if it doesn’t, go yell at your IT administrator for falling down on the job.) Odds are, you can right-click on any email attachment before you download it, or at least before you open it, and there will be an option to use your security scanner to check if the attachment is safe.
Email attachments are the easiest way for hackers to infect your computer—and your company—with malicious software. Always scan email attachments before you open them—even in emails from people you know.
Just because that email appears to be from your sales manager John Doe, that doesn’t mean it’s really from him. Hackers can “spoof” email addresses to make them look like they came from someone else. Hackers could also have hacked John’s email account and are using it to send dangerous attachments. Or—and this is very common—John could simply be a lot less careful than you are and he is unknowingly passing around an infected attachment, putting everyone else at risk.
A wise man once said trust, but verify. No matter who sent you an email attachment, scan it before you open it. It’s always better to be safe than sorry.
Verify links in emails before you click them
Just like email attachments, links in emails need to be checked before you open them. Websites can be “spoofed” just as easily as email addresses, but fake websites are also much easier to notice if you know what to look for.
Let’s say, for example, someone sent you a link to a news story from The Chicago Tribune. First, you need to make sure the link actually points to The Chicago Tribune. If the sender formatted the email to hide the link—for example, you need to click some text like click here or check this out—you should check to see what the actual web address is before you click on the link.
If you hover your cursor over the linked text and wait a moment, most mail programs or web browsers will show a small pop-up—either directly over the link or at the bottom of the screen—which tells what web address the link is pointing to.
Always check your links before you click on them!
In our example, the web address should include chicagotribune.com somewhere inside the link. There should be no text or symbols between chicagotribune and .com. Hackers often confuse their victims by creating web addresses that look like real websites, but are actually part of a different site altogether.
For example, hackers might create a fake website called newssource.com and then make it look like The Chicago Tribune by creating a web address like chicagotribune.newssource.com. At first glance, it looks like you’re going to the Tribune’s web site, but you’re actually going somewhere on newssource.com.
Even if the web address is fully spelled out in the body of the email—for example, it says http://www.chicagotribune.com—hover over the link to be sure it’s actually going to chicagotribune.com. Often times, it isn’t. If a link point somewhere other than where it should, or the address looks unusual, don’t click on the link.
Again, when it comes to email security, it’s better to be safe than sorry.
Always back up your email
If any of the hacker attacks we’ve outline above succeed, the first thing you’re likely to lose is all your email (followed quickly, one would expect, by your sanity).
No one, no matter how well trained or how good their security software, can keep their email safe forever. Eventually, you will be infected or you will be hacked. That’s why it pays to have a backup plan.
The best way to keep you email safe is to always back up your email.
So, to wrap it all up: Don’t respond to email from strangers, don’t open any attachments you haven’t scanned, don’t open any links you haven’t checked, and always back up your email. Follow these steps and you’re well on your way to keeping your email secure.