Security Misconceptions: E-mail Security

In the fourth part of our series on "Security misconceptions online", we're looking at the topic of "e-mail security". There are dozens of misunderstandings that are repeated over and over, becoming accepted as the truth far too quickly with no actual evidence to prove them. The BSI has identified some common misconceptions and here we show you how to minimise the risks that can arise from misunderstanding IT security.

Misconception 1: "If I just look at an e-mail without opening any attachments, nothing can happen".

Unfortunately this is not the case.
Today, many e-mails are sent in HTML format. Unlike plain text e-mails, these e-mails are often composed in colour, with various fonts and graphics. The source code for an HTML-format e-mail is where the danger lies: This code may contain malicious elements that execute on the recipient's computer as soon as the e-mail is opened, without the user clicking on an attachment. Spammers also like to use HTML e-mails to verify the validity of e-mail addresses. They do so using so-called "web bugs", which are small and usually invisible images loaded from the spammer's server when you open an e-mail, confirming to the spammer that the e-mail has been read. To prevent this, users should deactivate the display of HTML e-mails in their e-mail program. This will mean that e-mails are displayed in plain text format, which could make them difficult to read or appear incomplete. However, if you know the sender, you can click a button to activate the HTML view of the e-mail and see its full content.

Misconception 2: "Replying to spam e-mails is not risky; it's fine to click on the links to remove yourself from the distribution list".

This is not correct.
Spam is a collective term for many different kinds of unwanted e-mails. Spam may range from unwanted e-mails for dubious-sounding products and services and messages with strange content, to phishing e-mails that are designed to get you to disclose your account information for online shops or payment services by presenting you with false information.
Regardless of the type of spam you find in your e-mail inbox, you should ignore it and delete it immediately, ideally without opening the message. Never click on any links provided to "remove yourself" from the distribution list As soon as you respond to this kind of e-mail in any way, the sender knows that your address is valid and active. This means that you'll get even more unwanted spam in your inbox. It may be a good idea to set up a second e-mail address for using online services etc. This will at least allow you to keep the majority of spam e-mails out of your main inbox. You could also use a freeware spam filter.

Misconception 3: "An e-mail always comes from the address shown in the sender field".

This is not true; sender addresses are easy to fake.
The person or organisation name shown in an e-mail may be a cover for a completely different sender. This is often the case when the message involves illegal activities such as sending spam or attempting to infect a user's computer with malware.

The user can get an initial clue as to who really sent an e-mail by hovering over the sender name field with the mouse cursor. Depending on the e-mail program, the sender's (supposed) e-mail address will be displayed either alongside the cursor or at the bottom edge of the screen.

Whether or not the sender is genuine can be verified by checking the e-mail header. The header and source text of the e-mail can be displayed in your e-mail program. In the lines marked "Received From", you can track the path that the e-mail has taken; the sender is identified in the last Received From line. However, some attackers also manipulate the Received lines, which makes it harder for you to identify the true origin of the e-mail. If you are ever in any doubt about the origin of an e-mail, do not open it; delete it immediately.

Even e-mails that seem to be from senders you know might be spam. This can happen if a computer is infected with malware that automatically sends messages to people in the victim's address book. In such cases, it is often helpful to look at the subject line and consider how likely it is that this person would use this language or an expression that might not be typical for them. Further information on e-mails with fake senders.

Misconception 4: "Phishing e-mails are easy to identify".

This is not true.
The aim of phishing (which is derived comes from the word "fishing" but spelt with a "P" for password) is to convince victims to disclose their account details for online shops, online banking, e-mail accounts or other internet services. One of the most popular methods of phishing is sending out fake e-mails purporting to be from companies such as PayPal and Amazon, and asking users to click on a link to cancel an order or confirm their user information for security reasons.

These e-mails, and the websites at the links they contain, often look very convincing and similar to the genuine versions. You can get an idea of whether an e-mail is a phishing attempt or not by checking the e-mail header as described for misconception 3, which will allow you to see the full sender address; this may only differ slightly from the genuine sender address. Sometimes, a failure to address you by name in the body of the e-mail is another clue. However, attackers who send out phishing e-mails are adopting an increasingly professional approach; addressing you by name or including content that seems plausible doesn't mean that the e-mail is genuine.

Do not click on links in these e-mails! If you are in any doubt as to whether an e-mail is genuine, open the provider's website in your browser and log in there to reassure yourself. We also recommend deactivating HTML display in your e-mail program (see misconception 1). Clickhere for further information on phishing.

to the top