In the fourth and final part of our series "Security Errors on the Internet" we deal with the topic "E-Mail Security". There are dozens of misunderstandings that are constantly being repeated and all too quickly accepted as truth, without them being verifiable. There are a number of common misconceptions and points out how to minimize the risks that result from a misunderstanding of IT security.
Myth # 1: "If I only look at an e-mail but do not open an attachment, nothing can happen."
Unfortunately, this is not true.
Many e-mails are sent today in HTML format. In contrast to plain text emails, these are often colored, with different fonts and graphics. The danger lurks in the so-called source code of an HTML-formatted e-mail: for there can be hidden malicious code that is already executed when the HTML e-mail is opened on the recipient's computer without having to click on an attachment.
Also, spammers like to make use of HTML e-mails to verify the validity of an email address. This is done via so-called "Web-bugs", small mostly invisible images, which are loaded by a server of the spammers when opening the e-mail and thus signal the receipt of the e-mail, therefore users should in their e-mail program the display of e-mail in HTML disable format. the e-mails are then indeed only displayed in plain text and can ill appear legible and complete. But with trusted senders, the recipient can activate the HTML view of the e-mail with a click of a button and consider fully the contents.
Myth # 2: "Replying to spam emails poses no danger, you can also follow the links to delete them from the mailing list."
That's not true.
The term spam summarizes various types of unsolicited emails. These include unsolicited advertising for partially dubious products and services, messages with strange content and so-called phishing emails, which want to elicit the recipient under false pretences false access to online shops or payment services.
No matter what type of unsolicited email it is, recipients should ignore it and delete it immediately, preferably without even opening it in the first place. Under no circumstances should users follow links that are supposed to cause the recipient's address to be deleted from the list, because as soon as you respond to such an e-mail, the sender knows that your address is valid and active. The consequence is a higher amount of unwanted e-mails, i.e. spam, in the e-mail inbox. It may be advisable to create a second e-mail address for the use of online services, etc. so you can keep spam emails at least from this main e-mail inbox largely.
Myth # 3: "An e-mail always comes from the address in the sender field."
This is wrong, because sender addresses of e-mails can be faked with little effort.
The name of a person or organization displayed in an e-mail message may be concealed by a very different sender - this is usually the case with illegal activities, such as spamming or attempting to infect a user's computer with malicious software.
First indication of the sender is given to the user when he hovers the mouse over the displayed name. Depending on the e-mail program, the - supposedly - used e-mail address will be displayed next to the mouse or at the bottom of the screen.
The authenticity of the sender can be determined by the verification of the so-called e-mail header. The header or source text of the e-mail can be displayed in the e-mail program. In the lines marked "Received From", users can follow the sender and can be found in the last received from line. Further, attackers manipulate the received lines, making it harder to determine the actual source of the email. Therefore, if you have doubts about the origin of an e-mail, do not open it and delete immediately.
E-mails from apparently known senders can also be spam, for example if a computer has been infected by a malicious program that automatically sends messages to the persons in the victim's address directory. It often helps to look at the subject line to see how likely it is that the person uses a phrase, language or an expression that is typical of them.
Myth # 4: "Phishing emails are easy to spot."
That is not correct.
The aim of phishing is to elicit the victims' access to online shops, online banking, e-mail accounts or other Internet services, one of the most popular methods is to fake emails from services such as PayPal or Amazon and to ask the recipients to follow a link, for example, to make cancellations or an alleged security-related confirmation of user data.
The presentation of such e-mails and also of the web pages to which links contained therein often look deceptively similar to the original e-mails and web pages. An indication of whether it is a phishing mail, is the header of the e-mail mentioned in Myth#3, where the full sender address is visible and sometimes differs only marginally from the original sender. Sometimes the salutation in the e-mail text is missing. The senders of phishing emails, however, are acting more and more professional, so that a correct salutation or a plausible content cannot provide any certainty.
Under no circumstances should recipients follow links in such emails! In case of doubt, users can access the provider's website in the browser and log in directly to the platform there to make sure. It is also advisable to deactivate the HTML display in the e-mail program (see Myth#1).