Email and Phishing

3 May 2022

Intro

Email is a big infection vector for malware so it’s important to stay aware, and know how to distinguish between a genuine email and spam. Here are some tips to help keep you (and your computer!) safe.

Be careful where and who you give your email address to — although you may want the free ebook or to subscribe to a new mailing list, be aware that you ARE giving out your email address, which could lead to an increase in unwanted emails.

Regularly unsubscribe from newsletters you no longer read. Not only does this mean fewer emails to clear out from your inbox, it also reduces the risk that a spam email could be misinterpreted as legitimate. Some email providers (such as Gmail) notice when you haven’t opened newsletters from a certain source, and regularly ask if you’d like to unsubscribe.

Apple Mail also has a similar unsubscribe feature: When you open an email from a mailing list, Apple Mail gives you an “unsubscribe” button in the banner below the message header. This allows you to easily unsubscribe from mailing list emails.

Do not follow links in spam emails, or from email addresses you don’t recognise. This confirms your email address is active and could lead to you becoming a victim of phishing – a cybersecurity threat discussed in more detail below.

Use “Sign In with Apple” or “Hide my email” whenever possible to safeguard your email address. Apple have a feature called “Sign In with Apple”, allowing users of some websites to create accounts using their Apple account (similar to the “Sign in with Google” or “Sign in with Facebook).

Within the “Sign In with Apple” feature, there is an option to hide your email address from the developers of the website. This is done by using a randomly generated email address (created by Apple), which is used as the contact email for the website. Apple then automatically forwards communications from the website to your email, after performing basic spam filtering.

Phishing

Phishing is one of the main ways cybercriminals obtain personal information from internet users. By posing as a trusted company (such as a bank, Netflix, an insurance company, Apple, etc), they are able to trick people into giving them information that they should not have access to, such as your username and password.

Fortunately, there are a few ways to stay smart, and keep your information safe.

Check the sender’s email address. Cybercriminals often use email addresses that are similar to trusted email addresses to trick consumers into trusting them. When/if you follow links in emails, stop and take a moment to double check the sender’s email address. Does it come from a trusted domain (the bit after the @ symbol)? Does the domain match the company? For example, an email from “Apple” sent from an @gmail address is not really from Apple.

Don’t follow links in unsolicited emails. Unless you initiated the email conversation, such as when you contact your friendly ClamXAV support team, or you trust the sender of an email (and recognise their style of writing), do not click links in your email, especially if it is a shortened URL (such at a bit.ly or TinyURL link) as these obscure the final destination of the link.

If an email does not address you personally, it’s more likely to be a phishing email. Receiving emails that are addressed like “Dear customer” or “Hi there”, rather than being addressed to you personally are a fairly common sign of phishing. Of course, not all emails addressed like this are phishing emails, but it’s a fairly safe bet that it’s spam if the only thing they know about you is your email address.

When in doubt, double check. If you receive an email notification telling you you need to me a change to an online account (like Netflix or PayPal letting you know your payment method is expired), or asking you to log in somewhere to verify your account and prevent it from being closed/deactivated, it is best to visit the site directly, rather than through any link provided in an email.