Email: What’s safe, and what isn’t

We love email — It’s a great way to keep in touch with friends and family, and for many of us it’s an essential part of our jobs. The problem is that criminals love email too — it’s inexpensive, hard to trace and an easy way to distribute viruses, harmful software and scams.

So what are the threats, and how can you avoid them? We’ve got your answers:

Viruses and malicious software
Viruses, worms, “Trojan horses” and other malware can cause damage to your system which is time-consuming and costly to fix. Not only can you lose your data, someone could hack into your computer for their own purposes — such as using your address book to distribute the virus to your contacts. There are three main ways to “catch” a virus from email:

Opening an email: Viruses or malware can be embedded in the HTML or RTF (rich-text format) code of the message and set to activate when you read the message. Microsoft Outlook and Outlook Express used to be particularly vulnerable to attack given their tight integration with other software — even viewing the message in the “reading pane” could trigger the attack.
However, most email programs now protect against this threat by disabling script or blocking certain types of code in the message.

Opening an attachment: Attaching files to an email is a quick and easy way to share information — and one of the most common ways to transmit viruses. Opening the email alone won’t do it, but your computer will become infected when you open an attachment which is a virus or contains a virus.

Clicking on links can take you to an infected website or automatically download a virus or malware to your computer.

How can you protect yourself? Automatic processes and common sense are your best protection:

-Adjust your security settings. If you don’t use one already, activate the spam filter in your email program. Turn off any options that allow attachments to download automatically or scripts or “ActiveX controls” to run.  Experts still advise that “plain text” emails are the safest to view, but you can also limit the HTML code by adjusting your email settings.

Ignore and delete emails from senders you don’t know, especially if they contain attachments.

Beware of the unexpected. Viruses can take control of email address books and send out messages to family, friends and colleagues. In other words, just because you know the sender doesn’t mean the message is safe. If you weren’t expecting an attachment, double check with the person who sent it before you open it.

Scan it. Set your anti-virus software to scan emails and attachments. As an extra level of protection, save attachments and manually activate a virus scan before you open them.

Remember, “when in doubt, don’t” — don’t open the email or its attachments, download or run any software or click on links.

Phishing scams
Phishing is the process of sending out an official-looking email in order to get victims to supply sensitive information like passwords, banking information, credit card numbers or social insurance number. The email may say there is a problem with your account and directs you to a website to verify financial information or enter your email and password. The con-artist could be posing as your bank, a local charity, a government institution, a business or a hiring employer, but their goal is to steal your cash or your identity.

The reasons these schemes are successful is that the emails and websites appear to be legitimate — a technique known as “spoofing.” Con-artists steal
design elements (logos, colour schemes and layout) or source code from websites and legitimate emails to create their own fraudulent versions — a wolf in sheep’s clothing, so to speak.

It’s hard to tell the real from the fake, but here’s what you can do:

Assume it’s a fake. Any email asking for sensitive information should be treated with suspicion. While many companies do send out emails advertising new products or services, they usually call their customers directly if there is a problem with their account.

Read closely. Watch for mistakes in spelling and grammar throughout the email — the “spoofed” part may be correct, but the added content may contain errors. Look for language and slang that may seem out of character for the person or organization supposedly sending the email. Is the tone formal in one part of the email, and more casual in another?

Verify. If you think it might be a legitimate request (e.g. the message could be from a company you deal with) contact the institution yourself to see if there is a problem. Ignore all phone numbers and links in the email — you don’t know what’s at the other end — and instead look up the phone number or website via an internet search engine or phone book.

Go to another source. If the message is from a company you don’t know, don’t try to contact them. Instead, stick to reputable sources for help. For example, if you receive an email confirming a purchase you never made, watch your credit card statement and contact your credit card company. Don’t open any attached “invoices” or “receipts” — they will likely contain a virus.

Charity scams, vacation scams, financial scams and other hoaxes are also perpetuated through email. More information about these issues can be found at

Email should be considered part of your personal information — just like your mailing address and telephone number — and guarded with the same protection. You can cut down your exposure to spam and harmful risks by take a few precautions:

Protect access. Change your email password from time to time, and never give it out.

Create a separate email account for wide distribution. Sign up for a free service like Yahoo Mail, Hotmail or Gmail to use for social networking, newsletters and newsgroups, promotions and online dating.

Beware of the bounce. Received a “could not deliver this message” notification for an email you didn’t send? Check your “sent messages” folder for signs that someone has hacked into your email. Otherwise, the error message is either a trick to get you to read the email or your address was used in the “from” field of a spam message. (See Symantec’s website for more information on this issue).

Post with caution. If your address appears on a website, whether it’s personal, professional or for a volunteer organization, make sure to disguise it from automatic scanning processes that capture your address and add it to spam lists. Switch out some of the characters such as (at) instead of @, and spell out “dotcom” instead of .com.

Read the fine print. Before you sign up for a newsletter or alert, read the privacy policy first to make sure your information won’t be shared. Legitimate businesses should always have a feature to allow you to “unsubscribe” and should never send you emails which you didn’t request.

Mind your CCs and BCCs. If you’re sending out a single message to multiple recipients who don’t know each other, protect their information by posting your own address in the “to field and list everyone else in the “BCC” (blind carbon copy) field rather than the “CC” field.

Clear your cache. Adjust your internet browser settings to clear all personal information when you shut down the program, especially if you’re using a public computer.

When it comes to harmful emails, even the most careful people get caught sometimes. It’s important to know how to react, and to take action quickly if you become a victim. For example, if you suspect your email account has been compromised, change your password and contact your provider’s help support for more information. A virus may require attention from a professional if your anti-virus software can’t resolve the issue.

There are several organizations to which you can report phishing scams and fraud, including the Federal Trade Commission, the Anti-Phishing Working Group, SCAMwatch and Phonebusters.
If you’ve given out your personal or financial information, treat it as a potential case of identity theft and contact your financial institutions and your local police fraud unit.

Resources: Anti-Phishing Working Group, Phonebusters, US-CERT Virus Basics

Photo ©