What Issues Does Email Usage Have?
The delivery of e-mails is a lot like ordinary postal delivery of postcards. Everyone with some professional knowledge is able to
- peek at the postcard, thus read it,
- write on the postcard, thus manipulate it, and
- send a postcard under a false name, thus forge it.
The reason for being able to read or manipulate e-mails is that plain e-mails are neither encrypted nor signed. This means that everyone, who can access parts of the delivery route, can tamper with them. Almost every e-mail provider uses transport encryption nowadays, which is good, but it only secures the transport from or up to the server of the e-mail provider!
As with ordinary postal delivery the address of the sender is not verified upon delivery, which enables forgery. Usually the address is verified before sending an e-mail. For example the WWU mail server "secmail.uni-muenster.de" only accepts e-mail addresses which match the user's account. But it is not possible to guarantee (globally) that all e-mails from uni-muenster.de or wwu.de are sent through this mail server to verify them.
How to Identify Risky Emails?
All email users get confronted with spam and phishing messages at some point. The definitions and some more information can be found on the Threats on the Internet page. But how can one recognize spam, phishing or other risky e-mails? This often is no easy task because especially phishing e-mails are designed to look like real e-mails from known companies. The following hints should help with distinguishing between real and fake e-mails:
- Sender: Check if the sender's e-mail address matches the supposed originator of the e-mail, like e.g. "...@uni-muenster.de" for e-mails from the WWU.
- Salutation: Most companies will use your real name to address you. Fake messages usually use more commonly fitting phrases like "Dear customer" or a simple "Hello".
- Grammar/spelling: In many cases fake e-mails have been translated automatically resulting in more grammatic or spelling issues than usual.
- Urgency/threats: Most phishing messages ask the user to take immediate actions, e.g. immediately log into a webpage or check an invoice, and threat the user with severe consequences, like blocking the user's account or imminent payment of a large sum. Most legitimate companies would rather contact you by letter or phone in urgent cases.
- Offers/winnings: Spam messages for advertisement or scam purposes often promise fabulous products and large profits. Should an e-mail contain such offers or lots of advertisements you should become suspicious and ignore it.
- Links: Risky e-mails usually contain cryptical-looking or easily confusable links, for example "uni-meunster.de" or "uni-muenster.de.com" instead of "uni-muenster.de". Most of the time such links are hidden behind texts or buttons. Therefore, always check the whole link by hovering over it with your mouse pointer and see if it matches the supposed originator.
- Digital signatures: Most up-to-date e-mail applications show a seal next to a message when its digital signature is correct and matches the sender's address. Since fraudulent e-mails often use fake addresses they probably do not have correct signatures. But since the overall usage of signatures is sparse, most e-mails will not be digitally signed at all yet.
Should an e-mail contain multiple of those indications, it probably is a fraudulent e-mail.