Email is not secure. Although many people think of it as being an "electronic letter," it is actually more like a postcard that can be read by any number of people along the route between the sender and recipient. It can be easily forged and does not afford privacy.
Messages can also reach others’ eyes through forwarding, intentionally or accidentally. Once you have sent a message, there is no way to know where it will end up from there. Do not include anything in an email you wouldn’t feel comfortable having shouted across a crowded room.
Beware of emails that attempt to lure you into divulging personal information. The goal is to steal money or your identity through a technique called phishing by pretending to be a legitimate organization and asking for personal information. Legitimate, responsible companies will never solicit this type of information over email. Never reveal personal or financial information in a response to an email request, no matter who appears to have sent it.
Never click links in a message that request personal or financial information. Instead, visit the mentioned website directly by using a search engine to locate the real site. If you receive an email message that appears suspicious but also potentially important, call the person or organization listed in the "From" line of the message before you respond or open any attachments.
For more information about phishing, see our page on phishing.
It is difficult to know if the sender of an email is who they say they are. Recently, individuals at the University have been receiving messages that state they sent an email containing a virus, but according to their knowledge, they did not send a virus. What really happened is that a spammer or virus used these individuals’ email addresses to send spam without the users’ knowledge. Below is an explanation of how email is forged.
For an email today, typically the recipient sees something like this:
Date: Fri, 30 Jan 2008 07:28:45 +0000
From: Company X <firstname.lastname@example.org>
Subject: You may have already won!!!
One important point to make about both of the above examples is that email@example.com may or may not have sent the message. Just as anyone can put postal mail in a mailbox with a false return address on it, anyone can claim to be someone else when sending email. Many spammers and viruses take advantage of the ease of forging a sender’s address to pretend to be someone else, both to hide their tracks and to give legitimacy to the message.
Viruses that use this technique will collect all of the email addresses they can find from the computer and then pick two of them at random. The first one becomes the "From" address and the second one becomes the "To" address of a message that contains itself, with the hope that the recipients will open the message and infect their computers as well. In almost all cases, neither the person nor their computer had direct involvement. However, many antivirus email servers are configured to send a warning back to the sender – in this case, the forged "From" address. The only relation that the alleged sender may have to the recipient is that a third person, who has both the sender and recipient’s email addresses, has been infected.
Recently, some spam has originated from certain UR email list addresses, making the messages appear that they came from departments within the University. These messages are targeted attacks by spammers (a technique known as spear phishing) to get recipients to give up personal information, including usernames and passwords. The best thing you can do is be alert and suspicious of anything in a message that does not seem right. Remember, no one should be asking for usernames or passwords. If there is any doubt, call the department making the request to verify the email was sent by them. See our phishing page for more information.
It is very difficult to prevent someone from using your email address as the sender’s address of a message, but there are several steps you can take to limit the risk. Most importantly, make sure your virus protection software is up to date. Also, you can use PGP to exchange digitally signed and encrypted email messages so the recipient can have confidence you were the actual sender. See here for more information on PGP. Lastly, make sure to follow these rules so spammers do not learn your address is valid and use it to send fake email.
If you receive threatening or otherwise abusive email, the sender can often be identified and is often surprised that his or her activities are traceable, even when messages are anonymous. If you would like help in tracing such messages, do not delete them. Contact firstname.lastname@example.org for assistance. If necessary, we will work with law enforcement and courts to investigate.
If you believe that your safety is in jeopardy, call Public Safety at x53333 from an on-campus phone or (585) 275-3333 from off campus. For emergencies call Public Safety at x13 from an on-campus phone.