Helpful Hints    | Back to main hints page

E-Mail Safety

Basic safety tips

There are many ways you can communicate with others online, like e-mail, chat rooms, bulletin boards and instant messaging. There are also mobile communications such as text messaging that can be conducted offline but with many cell phones now able to connect to the Internet, some problems can travel across to the online environment. In fact, many online safety practices can be applied to your cell phone, even if you do not use it to access the Internet.

Basic e-mail safety tips:

• Change your password often and keep it in a safe place
• Don't share the password with anyone.
• Don't open any attachments from anyone unless they are run through an anti-virus program.
• Log off when done.
• Don't reply to spam, harassing, or offensive e-mail or forward chain e-mail letters.
• Use common sense and keep personal information personal.
• Delete all e-mails, unread, from people you don't know
• Don't be caught by the spammers' favorite trick, “Remember me?”

Forwarding virus warnings and prize draw chain e-mails can get you more than you bargain for, but never what you intended or hoped for.

Most of these types of e-mail are scams or nuisances, some are even damaging and by forwarding them you are adding to the problem and becoming a perpetrator of e-mail abuse.

Basic safety and netiquette when forwarding e-mail

Don't send or forward e-mails to people or add them to your “round robin” e-mail list without asking them if they want to be included. They may not want to hear every joke you think is funny or what your dog did last week and the e-mail address you have on file for them may be a work e-mail address, for instance, to which this type of personal e-mail could range from an annoyance to actually getting them into trouble.

If you must forward the information contained in an e-mail, unless the entire content is vital (an ongoing conversation for instance), always cut and paste the specific information you want to share, removing the multiple carriage returns that often appear “>>“ and other information, like e-mail addresses and names etc. (this goes for all online posting and instant and SMS messaging).

Never forward the contents of an e-mail from a friend or colleague without their prior permission, especially if it carries a disclaimer. Likewise, if you do not want others to forward the contents of your e-mails, tell them. Here is a general disclaimer you can add to your signature file or cut and paste into your e-mails:

This communication (including any attachments) is intended for the use of the intended recipient only and may contain information that is confidential, privileged or legally protected. Any unauthorized use or dissemination of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by return e-mail message and delete all copies of the original communication. Thank you for your cooperation.

Just forwarding (or cutting and pasting) the entire content of a forwarded e-mail (especially one that has already been forwarded many times) means that the e-mail headers and therefore the e-mail addresses of everyone who has ever sent and/or received that particular e-mail will be visible. Nobody wants to have their e-mail address advertised and leaving this type of information intact puts the owners of those e-mail addresses at risk from spammers, online predators and a host of other cybercriminals and malcontents.

The most efficient way to prevent this from happening in the first place is to use the “Bcc” option in your e-mail client. The "Bcc" field (unlike the “To” and “Cc” fields) prevents multiple recipients of an e-mail seeing any of the other e-mail addresses the message was sent to - they only see their own.

Most security warnings sent by e-mail, such as virus alerts, are hoaxes. Unless you have received a security warning from a legitimate anti-virus organization (that you signed up for), you can be 99.9% positive that the information is fraudulent. You must check the information you receive before you decide whether or not to send it to someone else. Forwarding security alerts without verifying their accuracy can cause annoyance, panic, damage to others' computers (some virus hoaxes erroneously instruct a user to delete vital files from their operating system or actually contain a virus themselves) and embarrassment - when you find out that the information you just e-mailed to everyone in your address book is a hoax.

Chain e-mails
When you receive an chain e-mail (even from a trusted friend):

• Don't forward it to anyone else.
• Reply to the sender (if you know them) without including the contents of the original e-mail and politely ask them not to send you any more. If you do not know the sender, ignore the e-mail and report it as spam.
• If you simply cannot bear not to forward a chain e-mail (and we understand that some people cannot ignore them), send it to us: chainmail@wiredsafety.org and we will deal with it for you. If the chain e-mail tells you to send 10 copies to 10 different people, that's fine - send us 10 copies.

However, please remember this. No chain e-mails are legitimate, credible companies do not conduct their marketing in such a haphazard fashion. Chain e-mails cannot bring you fortune or cause bad luck, they will not make you rich and you will never get that luxury holiday. They are lies, at best mischievous at worst (like virus hoaxes) designed to cause worry and disruption.

Finally, if you truly want to help disadvantaged children, endangered species or support another charity or movement, go to their Web site[s] and make a donation or sign up as a volunteer. You can use a search engine to find them, it takes about the same amount of time and effort to run a search as it does to forward a questionable e-mail. If you really want to tell a friend or loved one that you care about them, don't do it with a junk e-mail that has been repeatedly forwarded. Tell them yourself, write a personal note - from your heart or, even better, tell them face to face.

We aren't strangers to urban legends. The crazed stalker of couples in lovers' lane. The baby alligator brought back as a souvenir from Florida that, when flushed down the toilet, lived and hunted in the sewers. Some legends live on from one generation to the next. (Do we even have lovers' lanes anymore, and aren't alligators a protected or endangered species?)

Hoaxes
Real or hoax? You be the judge
Remember Mikey, the Life cereal kid who wouldn't eat anything? Well, you may also remember the rumor (totally unfounded) about twenty years ago that he died while eating Pop Rocks (the effervescent candy) when he drank a can of soda and his stomach exploded. (I wrote my senior thesis on that and other business rumors.) Rumors, especially those that sound believable, have abounded for centuries. It isn't any different in cyberspace. In fact, they move faster online than they ever could offline.

Someone went to a movie and sat down on a hypodermic needle that had been left on the seat. She then contracted AIDS. Someone else was drugged by a beautiful woman and woke up in a bathtub filled with ice to find a kidney missing. (Apparently it had been removed and sold to someone who needed a kidney transplant.)

But most good hoaxes and rumors have three main ingredients- they could happen, they touch something we know about or think is true (people can get HIV from an exposed infected needle, and people are desperate for transplant organs), and they feed on fear (getting HIV/AIDS, being drugged by strangers, dangers of having sex with strangers, etc.).

The difference between a rumor and a hoax is that while hoaxes are planned fakes, rumors may be believed and innocently passed on. But since once a hoax is passed on by people who believe it, it becomes a rumor.

Computer virus rumors are common cyberhoaxes.
E-mail hoax messages warning about some new virus hazard arrive in our mailbox daily. While some are true, many are not. A lot of people are fooled, though.

What Can You Do About It?
Luckily, there are several great resources you can refer to when you get your next e-mail announcing Armageddon, especially e-mails announcing the latest viruses. These sites will help you decide what to pay careful attention to and which to just ignore. Before you forward any e-mail proclaiming the latest virus, check it out. It's good Netiquette and a good way to preserve your credibility. And if you know someone who's rumormongering in cyberspace, tell them, too. (Otherwise, ignore anything they send you, or tell them to remove you from their rumor mailing list).

Phishing
Phishing is an online scam used to commit identity theft. A fraudulent, but official-looking e-mail is sent to a user in an attempt to con that user into divulging personal and/or private information, which is then used for identity theft.

How phishing operates
Phishers spam huge numbers of users with a seemingly credible e-mail that instructs the user to visit a Web site (also fraudulent) where they are prompted to enter or update their personal or private information (such as passwords and credit card, social security, and bank account numbers). Phishers also use pop-ups to try and scam users into entering sensitive information.

What actually happens, to the trusting users who submit this information in response to a Phishing attempt, is that identity thieves steal the user's information and their accounts are emptied.

Phishing attempts are extremely sophisticated and it can be extremely difficult to tell if the e-mail or Web site is real. However, no credible organization (like your bank, credit card company or social security office) will ever ask you for those kinds of details in an e-mail.

Phishing got its name from the idea that bait is cast out among many fish, some of which actually bite, become hooked and are reeled in.

One of our most important tasks is helping those who have been victimized online by scams, fraud and e-mail. ISPs tend to underplay the trauma, and real risks posed by e-mail scams, Internet scams and Internet fraud.

As a crime, Internet fraud is also often under-reported.

Scams and Fraud
The Internet is a perfect medium for scams and frauds and hoaxes.
It's inexpensive and people can communicate anonymously. What better way to take advantage of others? In addition, many users are new to the Internet, and easily conned. But the old adage, "When something seems to good to be true, it isn't true" should apply even more online than in real life.

To learn more about the kinds of scams we encounter online, to learn how to tell a real e-mail from a hoax, or to report an online fraud, use the information in this section. And make sure you think before you click "forward"; thereby becoming part of the problem - by forwarding scams and hoaxes on to others you know.

Basic safety tips for online chat rooms

• Anything you type in a chat room can be seen by everyone who is using that chat room so be careful what you type. In cyberspace the walls don't so much have ears as eyes.
• Choose an non identifiable, non gender specific screen name (and keep it clean!)
• Never give out any personal information whilst chatting online . That means your real name, telephone or cell phone number[s], mailing address, passwords, banking details etc. Ignore requests for personal information like A/S/L and be vague with responses to questions like WITW.
• Never accept files or downloads from people you don't know or from people you do know, if you weren‘t expecting them. This includes URLs.
• Never arrange to meet someone offline that you only know through chat room conversations.
• Make sure you know how to save copies of your chat room conversations.
• Make sure you now how to report problems to the chat room moderator.
• Remember your Netiquette and be nice! Don't send mean chat messages, get involved in chat room arguments (flaming) or incite others to do so.

Basic safety tips for IRC channels

• Anything you type in an IRC channel can be seen by everyone who is using that channel so be careful what you type.
• Choose an non identifiable, non gender specific screen name (and keep it clean!)
• Never give out any personal information whilst chatting online . That means your real name, telephone or cell phone number[s], mailing address, passwords, banking details etc. Ignore requests for personal information like A/S/L and be vague with responses to questions like WITW.
• Never accept files or downloads from people you don't know or from people you do know, if you weren‘t expecting them. This includes URLs, Direct Channel Connections (DCC) or private messages (PMs). When you accept a DCC transmission you are DCC transmissions can contain malicious files, viruses and be used to glean information about and/or "nuke" people.
• Never arrange to meet someone offline that you only know through IRC conversations.
• Make sure you know how to save copies (logs) of your IRC conversations.
• Remember your Netiquette and be nice! Don't send mean chat messages, get involved in arguments or incite others to do so (although it is occasionally OK to slap someone with a fish...)

Spam and Spoofing
Spoofing is the term for falsified e-mail addresses that appear to come from a sender when in fact, the message is really being sent by a spammer. They can be difficult to spot and cause many problems, both for recipients and spoofed e-mail address owners.

How spoofing operates
E-mail spoofing can assume a variety of forms, but basically, a spoofed e-mail has appears to have been sent from one source when it actually was sent from another source entirely. Phishing attempts and e-mail worms typically use spoofed e-mail addresses to trick users into believing that an e-mail has come from a trusted source. The actual sender effectively hides behind a user's address by falsifying its routing information, making it appears to come from the legitimate user's account.

However, any replies to a spoofed e-mail go directly to the legitimate e-mail account (not the sender who has spoofed the e-mail) causing embarassment and inconvenience. The legitimate user can find their e-mail Inbox bombarded with viruses, bounced e-mail, flame e-mails and in some cases can have their account suspended or shut down by their Internet Service Provider (ISP) for violating its anti-spam policy.

Meanwhile, the sender avoids all of these consequences, leaving innocent users to deal with the aftermath.

It is extremely difficult to detect a spoofed e-mail address, at first glance. It is possible to identify a spoofed e-mail by carefully analyzing e-mail headers but generally, spoofed e-mail is not immediately detected as such.

There are several things to look out for regarding potentially spoofed e-mail addresses

Typically, spoofed e-mails will appear to come from a legitimate source and it is often only the content of the e-mail itself that can give the spoofer away. Banks and other financial orgaizations do not request personal information via e-mail - that is one of the most important things you can remember regarding all e-mail fraud (spoofing, spamming and phishing included).

Like spammers, spoofers use various ploys to trick users into opening their e-mails, anything from placing "Dear friend" or "Remember me" in the subject line - implying that the e-mail is from someone the user knows, to more generic subjects like, "Your money has been refunded" or "About your Web site."

Be wary of e-mail that appears to be from a legitimate source (like your bank) that asks you to update your personal information - it is almost certainly a phishing attempt and the official looking e-mail address will be spoofed.

How to tell if your e-mail address is being spoofed

• You receive (sometimes angry) replies to e-mail you know you did not send.
• You receive multiple bounced e-mail that you know you did not send.
• Your ISP challenges you about violating its anti-spam policy.

Although not as easily detectable as spam, spoofing can be identified using the same techniques for identifying spam and phishing attempts. A little common sense can go a long way in preventing many fraudulent e-mail practices..

What to do if you think you have received a spoofed e-mail or your e-mail address is being spoofed

• Do not respond to a spoofed e-mail to complain because, it will only arrive in your own e-mail Inbox.
• Send a copy of the spoofed e-mail to the spoofed e-mail sender's ISP. The e-mail address for this is usually abuse@theirisp.com or postmaster@theirisp.com but if you are not sure, visit their ISP's Web site and search for the information - it will be there.
• Send a copy of the spoofed e-mail you received to your ISP's abuse desk. The e-mail address for this is usually abuse@yourisp.com or postmaster@yourisp.com but if you are not sure, visit your ISP's Web site and search for the information - it will be there.
• Include full e-mail headers when you file a spoofing report. Find out how to read e-mail headers here.

In the US
The Federal Trade Commission accepts copies of unwanted or deceptive messages at: spam@uce.gov . If an unsubscribe request is not being honored (ignored or inoperative) you can fill out the FTC's online complaint form. The FTC stores spam complaints in a database and actively pursue law enforcement actions against people who send spam.

Spoofing can be prevented, to a certain extent, by using the same techniques for identifying spam and phishing attempts. In many parts of the world e-mail spam and spoofing are illegal and should always be reported.

Basic safety tips for preventing e-mail spoofing:

• Use more than one e-mail addresses. One for personal e-mail and the other for mandatory fields in online forms and access areas.
• Make your e-mail address difficult to guess. Spoofers will use every name combination they can find to send spam (known as "dictionary attacks"), so sus4756xan@yourisp.com, although unattractive and possibly difficult to remember, might attract less spam than susan@yourisp.com. Generic e-mail addresses like webmaster@yoursite.com will always attract spoofing, unfortunately.
• Never post your real e-mail address anywhere online, such as newsgroups, online chat and online profiles.
• Use a "throwaway" e-mail address or disguise your e-mail address so that harvester bots cannot read it.
• Always check the privacy policy of any Web site that requests personal details, such as e-mail addresses. If the Web site is requesting this type of information and either does not provide an option to opt out or does not have a privacy policy, it is not wise to submit your information.
• When you are responding via a Web site form, read it thoroughly. Some Web sites who do include an opt out option usually require you to check a box to say that you agree to be sent e-mail (either from them or their associates). However, some of them ask that you uncheck a pre-checked box not to be sent e-mail and many consumers have fallen foul of that.
• Never code e-mail addresses into Web pages with the "mailto" tag, use a contact form or a javascript e-mail scrambler.
• Never open e-mail and/or download attachments from anyone if you are not expecting them and if you must open an attachment - always virus scan it first.
• Keep your operating system, anti-virus, anti-spyware and firewall software up to date.
• Use any spam filters available by default from your ISP.
• Run anti-spam software like Mailwasher.
• Use anti-virus software and/or firewalls on every computer you own/use.
• Stay up to date with current scams and always report suspicious activity.