Security Avoiding Spam, Scams, Viruses and Other E-mail Annoyances
As you are probably already painfully aware, East Tennessee State University email accounts are frequent targets for spam (unsolicited commercial email), scams and phishing attempts (authentic-looking nefarious messages designed to steal your identity or financial information), and email worms and viruses. We remind you to treat all unexpected emails, even emails which don't appear to be selling anything, with skepticism.
Although none of the advice offered here should be taken as official policy, there is plenty of conventional wisdom which you might not have considered before. As follows are a few tips for managing a mutinous mailbox:
- The first and most effective point is to avoid using your ETSU e-mail account for anything other than official ETSU business or academics. While this advice is more conventional wisdom than actual policy, it will result in a friendlier mailbox. The fewer people or companies that have your e-mail address, logically, the fewer emails you will receive. On the other hand, if more people and organizations know your email address, not only will you receive e-mail from those entities, but also from whoever has bought or farmed your address from them.
- It helps to have a disposable e-mail account. Google, Yahoo!, and Windows Live mail, for instance, each provide free e-mail service that can easily be used for compulsory registration. There are even intentionally disposable services, such as Mailinator, which are designed to receive email temporarily, can be accessed without registration or password, then be completely forgotten. Many online stores and services require an e-mail address for registration before participation is allowed. For the reasons given in the previous point, it is generally more favorable to sign up for such services using an account separate from your ETSU e-mail.
- Boycott vendors who spam. If spamming were no longer profitable, it would no longer be annoying or debilitating. Apparently someone somewhere is buying cheap Vicodin, refinancing a mortgage, or buying penny stocks based on an email tip. As a result, millions of the rest of us must continue our daily routine of deleting irrelevant messages.
- Do not trust the information in the From: address of an e-mail. That information is trivially forged. Never open an e-mail attachment you were not expecting without calling or contacting the sender first. The author of the message might not be the same person as the e-mail indicates.
- As a general practice, it’s best to ignore e-greetings and e-cards. This is partially for the reasons stated above in the first point. More importantly, though, many email worms and viruses disguise themselves as e-greetings. It’s better simply to thank the sender politely, and hope the e-greeting wasn’t an insult.
- There are a few easy ways to recognize a phishing attempt:
- Most obviously, if you are not a customer of the company represented by the scammer, or if you have never given said company your ETSU email address (see the first bullet point above), then you can be certain that there is treachery afoot.
- If the salutation of the message resembles "Dear valued customer" or something similarly ambiguous, whoever has your e-mail address probably didn't take the time to research your real name. This is just as sinister as if they had addressed you as "Dear Jerkface."
- If the e-mail is signed "Regards, Webmail IT Service" or something similarly anonymous, it's probably not legitimate. We in OIT all have names, contrary to what you might have heard otherwise.
- If the target web address of a hyperlink (a clickable string of text resulting in a new web page opening) points to an address that differs from that company's established website, it's probably not legitimate. This point can be more subtle and easier to miss. For example, it might take more than a cursory glance to realize that www-suntrust.com would not be legitimate. You'll also often see hyperlinks that resemble web addresses, but the cosmetic address is actually different from the link address (see the picture below for an example).
- If the message contains grammatical errors, it's probably fake.
- If the message adopts a scary tone or warns you that your ETSU account will be deleted if you don't take action, it's probably fake.
- If an e-mail requests personal or sensitive information, verify its origins before responding. Feel free to forward any dubious emails to the help desk at email@example.com and ask us for assistance in verifying the legitimacy of the message.
- Quiz yourself. Because phishing scams are so common, many quizzes can be found by searching the Web for "phishing quiz". Google Jigsaw offers a great one, as does OpenDNS.