Basic Safety Rules for Email

General Security

Email is not a secure form of communication.  Messages can be intercepted in transit.  A good rule of thumb is to avoid sending any sensitive information over email.

Phishing & Identity Theft Scams

Phishing is an attempt to gain access to your confidential information (passwords, usernames, bank accounts, PINs, etc.) by posing as a trustworthy organization.  Examples of sites often impersonated by phishers include financial institutions (your bank, PayPal), ecommerce sites (Amazon, eBay), social media sites (Facebook, Twitter) and even Whitman College. Phishers may ask you to respond by reply email, by filling out a form on a website, or by calling a phone number.  Frequently, they'll claim you've won a prize or threaten you with some action, such as deletion of your account, if you do not respond.

The most common form of phishing email attempts to dupe the receiver into clicking a link to a fraudulent website, where the victim is asked to enter personal information:

This email links to a spoof site that looks and feels exactly like trustedbank.com.  Once the victim enters his or her personal information, the data is sent to the phishers.

Other conventional ploys: "Please click to verify your account." "You have won one million dollars."  "Your account will be deactivated if you don't respond within x hours." 

So how do you identify phishing messages from legitimate email?

Phishing Red Flags

• Any attempt to get you to enter your password. Most organizations, including Whitman, will never ask you for your password over email.
• Mistakes in grammar or spelling. Real organizations do mess up, but if the message is so full of errors your elementary school teacher wouldn't accept it, it's likely a scam.
• A ‘To' or ‘From' address that seems fishy (so to speak). ‘From' addresses can be easily falsified, so pay specific address to the ‘To' field. Is your email address listed? If not, the message is likely a phishing attempt.
• No personal information in the email. Most legitimate institutions have your information on file and will address you by name. A "Dear Valued Customer" salutation is suspect. However, phishers can mine public records and social networking sites for your personal details, so don't assume a message is safe just because it contains your name or other trivia.
• Links do not lead to the sites they claim to. Always inspect links in emails. It's very easy to misrepresent their addresses. Most browsers provide simple ways to check a link's true address. In Firefox, right-click the link and choose ‘Copy Link Location.' Paste into Firefox's address bar. If the text doesn't match the link in the email, don't hit enter.
• Links lead to sites with odd domain names. If the email claims to be from Whitman but links to a URL that starts www.whtman.edu, www.verify-whitman.edu, or http://www.geocities.jp/samscoolsite, the site is fraudulent.

Phishing Precautions

• Instead of clicking email links, open a new browser window or tab and type in the address manually.
• If something seems suspicious, email the institution using a customer service email listed on its website (again, type this in by hand in a new window) to verify its authenticity.
• Heed your browser if it tells you a site may be forged. Never give personal information to insecure sites. Many browsers display an unbroken key or lock icon for a secure site. Click the key or lock to check the security certificate and make sure it matches the site.
• Even if you're confident a site is legitimate, test it: Enter fake information into the form before providing your genuine credentials. A phishing site will accept the false info, but the real site will give you an error.
• If you must call a customer service number from an email, never provide any personal details about your account. 

Viruses

Emailed attachments can come bundled with viruses.  Downloading an attachment, even one with a harmless name, can infect your computer.  Only open attachments if you trust the source.  Many people choose only to open attachments that they have confirmed through verbal communication with the sender.

Non-malicious spam (an oxymoron?)

Unsolicited bulk email messages can fill up your mailbox and become extremely frustrating.  To avoid this predicament:

• Don't give your email address to sites you don't trust. Many people have an alternate email they use when buying a product from a site for the first time or signing up for a new service.
• Don't post your email address to public places online like message boards, comment boards, or even your personal website. Spambots crawl the web looking for these easy targets.
• If you receive spam, don't open it or click "unsubscribe." Spammers can use these actions to detect that your email address is active. The result: more spam. Instead, mark the message as spam in your email client and filter similar messages to the trash.