Email Security

What Issues Does Email Usage Have?

The delivery of e-mails is a lot like ordinary postal delivery of postcards. Everyone with some professional knowledge is able to

  • peek at the postcard, thus read it,
  • write on the postcard, thus manipulate it, and
  • send a postcard under a false name, thus forge it.

The reason for being able to read or manipulate e-mails is that plain e-mails are neither encrypted nor signed. This means that everyone, who can access parts of the delivery route, can tamper with them. Almost every e-mail provider uses transport encryption nowadays, which is good, but it only secures the transport from or up to the server of the e-mail provider!

As with ordinary postal delivery the address of the sender is not verified upon delivery, which enables forgery. Usually the address is verified before sending an e-mail. For example the WWU mail server "secmail.uni-muenster.de" only accepts e-mail addresses which match the user's account. But it is not possible to guarantee (globally) that all e-mails from uni-muenster.de or wwu.de are sent through this mail server to verify them.

How to Identify Risky Emails?

All email users get confronted with spam and phishing messages at some point. The definitions and some more information can be found on the Threats on the Internet page. But how can one recognize spam, phishing or other risky e-mails? This often is no easy task because especially phishing e-mails are designed to look like real e-mails from known companies. The following hints should help with distinguishing between real and fake e-mails:

  • Sender: Check if the sender's e-mail address matches the supposed originator of the e-mail, like e.g. "...@uni-muenster.de" for e-mails from the WWU.
  • Salutation: Most companies will  use your real name to address you. Fake messages usually use more commonly fitting phrases like "Dear customer" or a simple "Hello".
  • Grammar/spelling: In many cases fake e-mails have been translated automatically resulting in more grammatic or spelling issues than usual.
  • Urgency/threats: Most phishing messages ask the user to take immediate actions, e.g. immediately log into a webpage or check an invoice, and threat the user with severe consequences, like blocking the user's account or imminent payment of a large sum. Most legitimate companies would rather contact you by letter or phone in urgent cases.
  • Offers/winnings: Spam messages for advertisement or scam purposes often promise fabulous products and large profits. Should an e-mail contain such offers or lots of advertisements you should become suspicious and ignore it.
  • Links: Risky e-mails usually contain cryptical-looking or easily confusable links, for example "uni-meunster.de" or "uni-muenster.de.com" instead of "uni-muenster.de". Most of the time such links are hidden behind texts or buttons. Therefore, always check the whole link by hovering over it with your mouse pointer and see if it matches the supposed originator.
  • Digital signatures: Most up-to-date e-mail applications show a seal next to a message when its digital signature is correct and matches the sender's address. Since fraudulent e-mails often use fake addresses they probably do not have correct signatures. But since the overall usage of signatures is sparse, most e-mails will not be digitally signed at all yet.

Should an e-mail contain multiple of those indications, it probably is a fraudulent e-mail.

  • Recommendation

    General Recommendations

    To keep your emails and personal information secure and to protect your devices from malware, you should follow some basic guidelines:

    • Only retrieve or send emails from trustworthy devices which satisfy the basic security measures (up-to-date operating system with anti-virus software and firewall).
    • Make sure to use encrypted connections to the mail server. For webmail (e.g. OWA or Permail) the address should start with "https". For local applications the SSL-/TLS-encryption should always be enabled.
    • Should you need to send sensitive information, e.g. passwords, you always have to use an end-to-end encryption on such emails (see Digital IDs below). The transport encryption SSL/TLS only encrypts the data up to the mail server. It is not recommended to (end-to-end) encrypt every email you send out.
    • Disable automatic downloading of external media, like embedded pictures, because they can contain malware. Many e-mail applications already do this by default.
    • Never open unknown or unexpected file attachments. If the email seems to be from a known person, check back with said person, whether the message was really sent by them. You should use another method of communication for this.
    • Always be careful with links in emails. Check the link thoroughly even if the email seems to be from a known person. If you do not recognize the origin or the message already looks suspicious, do not click on any embedded links.
    • Do not enter personal information, e.g. login credentials, directly in an email, nor on a linked website.
    • Never reply to possible spam or phishing emails. Preferably just delete them. Should you be unsure whether it could be a legitimate email, check with the sender using another method of communication.
    • You can use a spam filter to reduce the amount of spam you directly get. Many e-mail providers and applications already include a spam filter by default. You can enable a spam filter for the WWU email service as well.

    Recommendations for Business Emails

    The use of emails for business purposes at the WWU has to comply with some additional regulations:

    • Only the mailbox provided by the WWU may be used for business emails.
    • The automatic forwarding of business emails to external mailboxes is prohibited.
    • As far as possible all business emails, especially newsletters, should be digitally signed.

  • Digital IDs

    Digital IDs, or user certificates, are an additional option to secure email communication. Most importantly, they can be used to sign outgoing emails which can be compared to putting a postcard in an envelope and affixing a seal. This enables the recipient to verify that the letter really was sent by a particular person and it guarantees that it was not manipulated along the way. Digital IDs can also be used to encrypt messages end-to-end, thus making them unreadable during the whole delivery process. For end-to-end encryption the recipient must own a digital ID.

    We are aiming to digitally sign all official emails from the WWU in the near future and will try to extend the usage of digital IDs in regular email communication at the WWU as well. For this purpose the Münster University Certification Authority (WWUCA) offers free digital IDs for all members of the WWU. You can use MyZIV to request such digital ID for yourself.

    All up-to-date email applications are able to automatically sign messages or encrypt them when needed, once a digital ID is available. Signatures of recieved emails are usually checked automatically as well and a seal is displayed next to it if the signature is correct. Further information can be found on the website of the WWUCA.

    Requesting a Digital ID
    Importing and Using a Digital ID