Email Security

Keep Your Email Safe

Abuse of email systems is one of the most popular issues concerning computer security and it is vital that people understand the risks involved with email. We want to provide information that can protect you from the most popular types of email abuse.

 

Why would someone try to hack my email?

Many people view email as a tool for quickly sending or receiving information and fail to realise their email contains far more valuables than a few simple messages.  Consider this:

  • How many contacts do you have in your address book?
  • Do you store website logins and passwords in archived emails?
  • Do you receive eBills (electronic bills) for services such as Cable, Internet and Utilities?

All of these items contain information that is valuable and can be sold. You may ask why others would care about the contents of a seemingly insignificant email account but that mailing address in your eBill is a possible answer. All the contact information in your address book is a gold mine for spammers as it provides them with email addresses that are most likely active and being accessed on a regular basis.

This email claims to be from you, is it not?

Email was not designed with security in mind which makes it incredibly easy to spoof addresses and trick you into thinking you're corresponding with someone who isn't who they claim to be.  Often times these emails contain 'phishing' content where the ultimate goal is having a user give up important information such as usernames and passwords.  Phishing emails contain 3 primary characteristics:

  • They claim to come from a source of authority (University Administrators, Police, Government, etc.)
  • They request that you give up personal information such as usernames and passwords.
  • They imply something negative will happen if you don't provide these details.

By far, the most common types of phishing attacks seen at the University involve emails that claim your account will be deleted unless you reply to the sender with your username and password. These emails appear to have come from the Help Desk or IST. They may request you to give up your credentials, and convince you to do this by insisting your account will be deleted if you fail to comply. When someone falls for a phishing attack, often times their email address is then used by a third party to send large amounts of spam.

***Never reply to these emails no matter how believable they may sound.***

Why did that link take me to the wrong site?

Links in emails and websites contain two pieces of information. The first is the text you read on the screen and click on when you want to follow that link. The second is the code running behind the scenes that determines where that link will actually take you. Just because a link says it will go to a particular website, does not mean that is where you'll end up.

Here's a harmless example: http://www.ualberta.ca

Even though this link says it goes to the University website, clicking it actually takes you to Google. Many phishing emails abuse this method and replace the code with links to a website that look very similar to the real one. Many people won't catch this and will end up giving their important information away without knowing it.

So what can I do about all this?

The most important thing you can do is use caution when using email. Under no conditions should you give any information to anyone via email no matter who they claim to be.  A few simple steps you can follow are:

  • Never reply to phishing or spam emails.  Doing so validates your account exists and will likely INCREASE the amount of unwanted mail you receive.
  • Be cautious of links in strange emails.  If you hover the mouse over the link, most browsers will show you in the bottom left where that link will take you.  If the address has typos or looks strange, don't click the link.
  • Unsubscribe links in spam emails are a trap and WILL NOT unsubscribe you.  They simply validate that your account exists.
  • Use extreme caution when opening attachments regardless of who they are from.  Remember, addresses can be spoofed.  If it contains files ending in .exe, .vbs, .bat or .scr DELETE THEM immediately.

If you have concerns about the security of your computer, CCID, email, or any other day-to-day functions, please contact the IST Service Desk via ist@ualberta.ca. Remember, we will never ask for your password.