The fourth and last part of my small series “IT Misconceptions” deals with “e-mail security”. There are dozens of misunderstandings that are constantly repeated and all too quickly accepted as the truth, without actually being provable. Here I have identified some common misconceptions and shows how the risks resulting from a wrong understanding of IT security can be minimised.
Misconception No. 1: “If I only look at an email but do not open an attachment, nothing can happen”.
Unfortunately, this is not true.
Many e-mails today are sent in HTML format. In contrast to pure text e-mails, these are often coloured, with different fonts and graphics. The danger lurks in the so-called source code of an HTML-formatted e-mail: because malicious code can be hidden there that is executed on the recipient’s computer as soon as the HTML e-mail is opened, without an attachment having to be clicked on. Spammers also like to use HTML emails to verify the validity of an email address. This is done via so-called “web bugs”, small, mostly invisible images that are loaded from a spammer’s server when the e-mail is opened, thus signalling that the e-mail has been received. For this reason, users should deactivate the display of e-mail in HTML format in their e-mail program. The e-mails are then only displayed in plain text and can appear poorly readable and incomplete. However, with trusted senders, the recipient can activate the HTML view of the e-mail by clicking a button and view the contents in full.
Misconception No. 2: “Replying to spam mails does not pose any danger, you can also follow the links to delete from the distribution list”.
This is not true.
The term spam covers various types of unsolicited e-mail. These include unsolicited advertising for sometimes dubious products and services, messages with strange content and so-called phishing mails which try to elicit access data to online shops or payment services from the recipient under false pretences.
Regardless of what kind of unsolicited e-mail it is, recipients should ignore it and delete it immediately, preferably without even opening it first. Under no circumstances should users follow links that supposedly lead to the recipient’s address being deleted from the list. Because as soon as you as the recipient react to such an e-mail, the sender knows that your address is valid and active. The consequence is an even higher volume of unwanted e-mails, i.e. spam, in the e-mail inbox. It may be advisable to create a second e-mail address for the use of online services etc. This way you can keep spam e-mails largely away from your main e-mail inbox, at least. In addition, spam filters available as freeware can be used.
Misconception No. 3: “An e-mail always comes from the address written in the sender field.”
This is wrong, because sender addresses of e-mails can be forged at will with little effort.
Behind the name of a person or organisation displayed in an e-mail, a completely different sender can be hidden – this is usually the case with illegal activities such as sending spam or trying to infect a user’s computer with malware.
The user receives an initial indication of the sender when he moves his mouse over the displayed name. Depending on the e-mail program, the – allegedly – used e-mail address is then displayed next to the mouse or at the bottom of the screen.
The authenticity of the sender can be determined by verifying the so-called e-mail header. The header or source code of the e-mail can be displayed in the e-mail program. In the lines marked “Received From”, users can follow the path of the e-mail, and the sender can be found in the last Received From line. Attackers sometimes manipulate the received lines, making it more difficult to determine the actual origin of the e-mail. For this reason, if there are doubts about the origin of an e-mail, the following always applies: Do not open the e-mail, but delete it directly.
E-mails from seemingly known senders can also be spam, for example if a computer has been infected by a malware that automatically sends messages to the people in the victim’s address book. A glance at the subject line is often helpful here to assess how likely it is that this person in particular is using an English phrase or expression that is untypical for him or her.
Misconception No. 4: “Phishing mails are easy to recognise.”
That is incorrect.
The aim of phishing (composed of the English word “fishing” for fishing and the prefixed “P” for password) is to elicit access data from victims to online shops, online banking, e-mail accounts or other Internet services. One of the most popular methods is to forge e-mails from services such as Paypal or Amazon and ask the recipients to follow a link, e.g. to make cancellations or a supposedly security-relevant confirmation of user data.
The layout of such e-mails and the websites to which the links contained therein lead often look deceptively similar to the original e-mails and websites. An indication as to whether it is a phishing e-mail is provided by the e-mail header already mentioned in error 3, where the complete sender’s address is visible and in some cases only marginally differs from the original sender. Sometimes the salutation is also missing in the e-mail text. However, the senders of phishing mails are acting more and more professionally, so that even a correct salutation or plausible content does not offer any certainty.
Under no circumstances should recipients follow links in such e-mails! In case of doubt, users can call up the provider’s page in their browser and log in directly on the platform there to make sure. It is also recommended to deactivate the HTML display in the e-mail program (see Misconception No. 1).