I am often asked by family and business associates, what they can do to protect themselves from malicious emails. There are many email best practices on the internet, but I find that many are specific to home users or buisiness users. I also find that some are outdated as the times and methods have changed. I wanted to put together a general email best practices guideline that would apply to all computer users and hopefully stand the test of time. I have read many best practices guidelines and over time identified methods that I thought were the best. I created this document with those methods in mind.
Users guide for email safety
Readiness. Are you ready to receive e-mail? Does your computer have the latest patches for your particular operating system? Do you have anti virus software, and is up to date? Do you have a folder designated as “Infected” for detaching files and scanning them with the anti virus software? Is your email client configured to use “Plain Text Mode”? Do you have the “Preview pane” turned off? Do you have your email client configured so that attachments are not automatically launched so that you manually have to detach files?
Education. Are all of your team or family members educated on safe email practices and how to avoid malicious software? Do you recognize that threats change and that continuous education on safe practices will help you reduce your risk from malicious threats?
Assume that any email is malicious, even if you know the sender. Often, email addresses are harvested from infected computers and malicious emails are sent to the harvested email addresses. This increases the chance that a malicious email may come from family, friends, or business associates. By assuming every email is malicious until you take the steps necessary to determine that the email is reasonably safe, you will greatly reduce your risk of infection.
Do you know who is sending the email? Is the email from someone that you know? Has this sender sent you an email before? Is the sender known to participate in risky email practices, such as the forwarding of jokes or chain mails?
Expect. Are you expecting email from the sender? A malicious email may often arrive from someone you know. If you were not expecting an email, confirmation is key. A quick telephone call is one way to help you determine if a suspicious email is legitimate. You may want to delete or quarantine any emails that you did not expect to receive.
Make Sense. Does the email make sense? Is the subject line spelled correctly? Does the subject correspond with the attachments or the body of the email? Does the body of the email contain misspellings? If the email is from your grandma, would you expect an email that said “This girl is da Bomb ;) check out the pics”.
Avoid hoax messages that use social engineering tactics to get you to do something, even if it is from an authoritative figure such as “administrator” or “Microsoft”. Avoid going to any URLs or web links in emails. It is best to only go to mainstream websites, and to manually type the address into the browser. Avoid emails that suggest that you should alter your computer; the “fix” is often the malicious activity that the sender was hoping to manipulate you into doing.
Inspect emails carefully. Delete or quarantine any emails that look suspicious or do not pass the aforementioned checks. Check attachments for misspellings and look for double or long extensions such as “cool.txt.exe” or test____________.exe. “Fun” emails that have animations or free games are often malicious. Detach attachments manually to the “Infected” folder you created. Scan the folder with your virus scanner before opening them.
Learn from your actions. There is no silver bullet in security. There is always a risk involved in computing, even if you follow the rules. Learn from your mistakes, as well as, from the things you do right. It is important to stay up to date on new threats and to continuously monitor your actions to reduce the risk of infection or data theft.