UC Davis Information & Educational Technology

How the World of Email Works

10 Things Everybody Should Know about How the Email World Works


1. Email is insecure.

Even secure email programs only encrypt messages as they travel between the sender's computer and the sender's email server. Email transmitted from the sender's email server to the recipient over the Internet passes unencrypted through any number of servers. Unless you are using a special program to encrypt your email messages (such as PGP), your email can be intercepted and read in transit.

2. You have no control over a message after you send it.

The people you send email to can forward it, post it on line, or even post it on a billboard. As a rule, you should never include information in an email that you would not want the world to see.

3. "From" addresses in email messages are easily forged.

Attackers attempt to gain your trust by forging From lines. Two ways to tell if a message is forged are:

  • If part of the "From" line reads "IT Express" but the address in brackets is<nobodyyouknow@somewherefaraway.com>, then the message is a fake.

  • If the "From" address is not particularly suspicious, click on "Reply.” If the Reply-to address seems unrelated to the "From" address, then the message is probably fake.

4. Sending personal information over email puts you at risk for identity theft and other crimes.

Passwords, Social Security numbers, credit card information and financial account access codes are for your private use. Email messages that request sensitive information are most likely from someone intending to use the information to commit fraud or other crimes. Legitimate organizations are aware of email related risks and should not ask you to jeopardize the security of sensitive information.

5. Identity thieves and other criminals use email, Web sites, and the names and logos of legitimate businesses to get you to give them sensitive information.

It’s easy to copy and paste logos into email, so don’t believe an email is legitimate just because they include logos of well-known companies. Often, the link you see in the message does not take you where it appears to. For example, link text that says http://paypal.com may really lead to something like http://paypal.fakesite.zz/login.php and present a realistic imitation of the real site.

6. Curb your curiosity. Don’t click on any links in email messages from companies you don’t do business with or unexpected messages from companies you do have business with.

Email that appears to be from a familiar and/or reputable company can used to:

  • Direct you to a Web site that is used to collect your account numbers and passwords

  • Get you to reply to or attempt to unsubscribe from a service or newsletter so that they can send you more fraudulent email (replying or attempting to unsubscribe confirms for the sender that your email address is legitimate)

  • Direct you to a Web site which infects your computer with malicious programs as the page is loaded. These programs can allow someone to use your computer to send spam, track key strokes to collect sensitive information, or set up repositories of inappropriate content.

7. Legitimate businesses have professional writers and editors that review email messages to customers for errors.

Typos are fairly common in email, but messages with several misspelled words, poor grammar or an unprofessional appearance are most likely not from a legitimate business and should be viewed with skepticism and/or simply deleted.

8. Email attachments can contain viruses and worms.

To avoid opening attachments that contain viruses:

  • Delete messages and attachments from people you don’t know.

  • If you do know the sender, contact them (but not a reply to the suspect one) and ask if they sent the attachment and where they got it.

  • For comprehensive advice on handling email with attachments, see the following section of the CERT Home Computer Security page:

http://www.cert.org/homeusers/HomeComputerSecurity/#3

9. Real millionaires will never offer you money via email, so cultivate a healthy skepticism.

It’s nice to feel trusted, but if you receive an email from someone you don't know who claims to have gotten your name from someone they don't specify and offers to pay you 10% to help them move millions of dollars out of a distant country, DELETE IT. They want your bank account number and intend to use it to take your money.

10. Hone your instincts then trust them.

Most malicious email has characteristics that are “off” in some way. If you find yourself wondering why you received a particular message, you should treat it with caution.

For additional information related to many of the topics on this page,
see Cyber-safety Basics: Security for Everyone.