Select a topic:

Choose from one of the topics below to browse other articles

Articles & Information.

Handling email safely and protecting yourself against phishing attacks

Last updated by Ashley Cawley on January 31, 2024 16:22

In 2004 Bill Gates famously declared that he would rid the world of spam within two years, unfortunately that day didn't arrive and two decades later the average computer user is still bombarded with unsolicited spam and dangerous phishing emails trying to steal passwords or extort money out of us.

Sadly there is no single email solution or spam filter which can block 100% of spam or harmful emails, which is why at cloudabove we felt the need to provide some practical advice on staying safe and secure when handling day to day email.

When handling new email threads we would recommend not taking things on face-value and always be sceptical, it is worth realising that the sender's Name can be spoofed (faked) easily and even the email address itself in some circumstances can be spoofed. So the email may not be always be from who it seems, even if it mentions a name you recognise. With that in mind we advise the following:


When you see the Sender's name at the top of an email, do not take it for granted that is true.

The From Name can be faked, depending on your email program if you hover-over the name or click on it, it will often reveal more information or show the real email address that it came from.

Do not click on links or buttons in emails and then provide any login details

If an email is trying to get you to do or login to something, open up your web browser and and independently visit the companies website without clicking links in the email.
It is surprising that even online banks still get this wrong; they will occasionally encourage their users to click on links/buttons in their email which is bad practice. Dangerous phishing emails will often try and scare you into prompt action, pretending that something will stop working if you don't act quickly - they do this to try and trick you into clicking on a link or button and then ask you for a password to login, but really it is a fake web-page of theirs which is stealing your password.

Do not do anything potentially sensitive (like resetting passwords) or expensive (transferring monies or paying invoices)

on the instruction of someone over email, even if it appears to be from a colleague, without first checking with them via other means. Whether that be in person, a quick call or direct message (not via email). Often phishing emails looking to steal money will pretend to be from a high-ranking person within your company.

Do not open attachments from people that you were not expecting to receive

Attachments can be dangerous - They can contain viruses which could cause you to loose all data on your PC or whole company network, which can put an entire business at risk. If you wish to open something then a better option is to first save it and then consider uploading it to virustotal.com which scans it with numerous different anti-viruses at the same time. It is a superb free service that easily tells you if it is safe.. That site requires no sign-up and it couldn't be easier, taking seconds to use; you can drag and drop files onto the page to have them scanned, you should give it a go!


Do not mistake "HTTPS" or the Padlock Icon in the browser as security or to mean something is safe

In today's world most of the web is encrypted with SSL Certificates (https) so even the fake criminal (phishing) websites use https / padlocks. Web Browser companies are slowly phasing out that padlock icon so it will no longer show in web browsers as it is often mistaken by users as meaning things are "safe" when in fact they may not be.

Extortion

Nasty, unexpected emails can try to blackmail or extort you into paying them money or threaten to expose information about you. The criminals strategy is to invoke your emotions; creating a sense of fear to convince you into paying them money. These emails are fake and can be safely ignored. Sometimes they try to heighten your fear by including some personal information (usernames or passwords) they already know about you in the email; this information comes from data leaks which have happened at other companies in the past. For example large companies like Dropbox have had security incidents many years ago, criminals obtained information within their databases, so they may be able to see your email address, usernames associated to that and possibly other information.

    Tip: If you are wondering if your email address has ever been contained within one of these security breaches that many companies have suffered then you can run your email address through this brilliant service: https://haveibeenpwned.com/ and it will tell you which breach your information featured in.

Do you have any suggestions or tips that you use which we haven't covered in this article? If you would like to share those with us then we would love to hear them @cloudabove or at hello@cloudabove.com