Managing email security

  Public
By: 
Jean Macgregor

Overview

Email has become one of the primary ways we communicate in our personal and professional lives. However, we can often be our own worst enemy when using it. In this final article in our series for National Cyber Security Awareness Month, we will look at the most common mistakes people make and how you can avoid them in your day-to-day lives.

Autocomplete

Autocomplete is a common feature that is found in most email programs. As you type the name of the person you want to send your email message to your email software automatically selects their email address for you. This way, you do not have to remember the email addresses of all your contacts, just the recipient’s name. The problem with autocomplete comes when you have contacts that share similar names. It is very easy for autocomplete to select the wrong email address for you. For example, you may intend to send an email with all of your organization’s financial information to “Fred Smith,” your co-worker in accounting. Instead, autocomplete selects “Fred Johnson,” your neighbor. As a result, you end up sending sensitive information to unauthorized people. To protect yourself against this, always double check the name and the email address before you hit send.

CC / BCC /Reply All

Most email programs have two options besides the “To” field: Cc and Bcc. “Cc” stands for “Carbon copy,” which means you want to keep people copied and informed. “Bcc” means “Blind carbon copy.” It is similar to Cc, but no one can see the people you have Bcc’ed. Both of these options can get you into trouble. When someone sends you an email and has Cc’ed people on it, you have to decide if you want to reply to just the sender or reply to everyone that was included on the Cc. If your reply is sensitive, you may want to reply only to the sender. If that is the case, be sure you do not use the “Reply All” option, which will include everyone. A Bcc presents a different problem. When sending a sensitive email, you may want to copy someone privately using Bcc, such as your boss. However, if your boss responds using “Reply All,” all of the recipients will know that your boss was secretly Bcc’d on your original email.   In any event, before you select “Reply All” when responding to an email ask yourself if everyone really needs to be copied on your response. We’ve all experienced our inboxes being filled by “Reply All” responses that didn’t involve us so please - use this feature only if absolutely necessary. Your co-workers will thank you.

Bcc has one important “netiquette” function, and that has to do with emailing groups of people who aren’t part of the same organisation. For example, if you have to send an email to the personal address of several different people (in my case, this is my joke list) you should always use Bcc to avoid exposing people’s email addresses to others. If you just use the “To:” field all recipients will be able to see the names and addresses of all other recipients and that can have privacy implications.  In this case, Bcc is your friend.

Distribution lists

Distribution lists are a collection of email addresses represented by a single email address, sometimes called a mail list or a group name. For example, you may have a distribution list with the email address group@example.com. When you send an email to that address, the message gets sent to everyone in the group, which could be hundreds or thousands of people. Be very careful what you send to a distribution list, since so many people may receive that message. In addition, be very careful when replying to someone’s email on a distribution list. You may only intend to reply to the individual sender, but if you hit “Reply All,” you will have included the entire distribution list. This means that hundreds (if not thousands) of people will be able to read your private email. Another problem with autocomplete is that it could select a distribution list instead of a single recipient. Your intent may be to email only a single person, such as your co-worker Carl at carl@example.com, but autocomplete might accidently send it to a distribution list you subscribed to about cars.

Emotion

Never send an email when you are emotionally charged. An email written in an emotional state could cause you harm in the future, perhaps even costing you a friendship or a job. Instead, take a moment and calmly organize your thoughts. If you have to vent your frustration, open your email program, make sure it is not addressed to anyone and type exactly what you feel like saying,  When you are done, get up and walk away from your computer, perhaps make yourself a cup of tea. When you come back, delete the email and start over again. Even better, pick up the phone and talk to the person, as it can be difficult to determine tone and intent with just an email.

Security

Email is a very common “attack vector” or method of getting bad software (“malware”) onto your computer.  It’s usually done by the cyber criminals sending you an email that has an infected attachment; you open the attachment and your computer is infected.  Similarly, an email can contain a link to a website that actually takes you to a different site where your computer gets infected. We’ve mentioned it previously but it’s a point worth repeating: be exceedingly cautious about the attachments you open.  As far as links in an email go, hover your mouse pointer over the link and see if the link that is displayed matches the link in the email. If the displayed link and written link are different, then don’t click on the link. Remember – just because the email says it came from a friend that doesn’t mean it did.  The bad guys can easily fake the sender name and send you an email with an infected attachment so please…be careful with links and attachments.

Privacy

Finally, remember that traditional email has few privacy protections. Anyone who gains access to your email can read your messages. For that reason, sensitive personal information such as credit card numbers, Social Insurance Numbers, etc. should never be sent in an email. In addition, unlike a phone call or personal conversation, you no longer have control over an email once you send it. Your email can easily be forwarded to others, posted on public forums and may remain accessible on the Internet forever. If you have something truly private to communicate, pick up the phone. It is also important to remember that email can be used as legal evidence in many countries. Finally, make sure you lock your computer if you’re going to be away from it.  An unlocked computer allows anyone passing by to read your email and…and I’ve seen this happen…send an email as YOU. 

Don Devenney is a member of the Server, Networks and Telecom Infrastructures team at Royal Roads University and is a GIAC Certified Windows Security Administrator.