Secure handling of email
Phishing mails, scam mails, malware mails: Stay alert!
Things to know
No confidentiality
In terms of discretion, confidentiality, and security, an email is like a postcard. As with the postcard, anyone with access to the "mail path" between you and the target mailbox can potentially read emails received or sent.
Therefore, confidential data should never be included in an email that is not explicitly secured.
Malware in emails
Malware emails are emails with attachments that contain malware. Malware is often hidden in Zip, PDF, or DOC files.
Phishing: password theft
These emails almost look like messages from ETH or other trusted partners. However, links contained in the email lead to a plagiarism of the original website, where an attempt is made to steal your login data.
Scam or fraudulent emails: fraud
With such emails, attackers try to gain a financial advantage.
The victim receives an email, allegedly from a superior or a VIP. In the email, the victim is asked to deal with an "emergency", an exceptional situation, urgently and, for example, to transfer certain amounts quickly, to grant access rights or to provide information.
Due to the pressure built up by the supposed superior, the victims often fail to critically question the order, whether the sender's address is correct, and the order is plausible.
Mail spoofing: fake sender addresses
It is not difficult to fake sender addresses of emails in order to then - supposedly in the name of the faked sender - start fraud attempts. Be it via scam mails or phishing, or by sending attachments with malicious software. Sometimes the fake sender addresses look deceptively real.
When encrypting emails, a distinction must be made between two procedures:
Opportunistic transport encryption
Opportunistic transport encryption takes place automatically without user's intervention and encrypts emails during transport between two mail servers, provided that both - sender and recipient - sides support this feature.
Transport encryption is very common. However, in most cases users cannot know whether transport encryption is really used. Even if this is known in exceptional cases, there is still the limitation that although emails are encrypted during transport, they are stored unencrypted on the email servers of sender and recipient.
End-to-end encryption
End-to-end encryption takes place in the user's email program, making use of the recipient's public key. Only the recipient can decrypt the email with his or her private key.
Nobody can read the those emails during transport or when they are stored on the email servers.
Digital certificates
A digital certificate is comparable to an ID card, for example a company ID card or a membership card for a sports club. There are also digital certificates that can be used for legally binding transactions due to their higher security level.
Digital certificates can be issued for the identification of users, but also for the identification of servers, end devices or software. Email certificates relate exclusively to user certificates.
Structure of digital certificates
Basically, a digital certificate provides information about an identity. This information is verified and formally confirmed by the issuer before the certificate is issued. The different security levels of certificates also mean different formalities are required for the initial verification of the applicant's identity. The higher the security level of a certificate, the more extensive the possible areas of use.
Each digital certificate consists of public, as well as secret, information. The public part contains all information that must be accessible to third parties to verify the identity of a user, such as the email address, name of the owner and expiry date of the certificate. The private key associated with each certificate is secret.
Securing email traffic with digital certificates
The exchange of emails can be secured using email certificates. These digital user certificates can be used in a similar way to a seal to verify the sender or originator of an email. In the case of an email that has been signed with a valid certificate, the recipients can be sure that it was sent by the owner of the certificate and that its content was delivered unchanged. What's more, the certificates can also be used to encrypt the transport and filing of emails.
The two essential security functions of email certificates are:
Digital signing
The email is "sealed". A valid digital signature is comparable to an unbroken seal.
- The sender is the owner of the certificate, the mail is therefore real.
- The content of the email has been delivered unchanged to the recipient's mailbox, it is therefore unaltered.
Signed emails contribute significantly towards providing protection against phishing and fraud emails, especially if emails are routinely signed and recipients pay attention to the signatures. Because they are then alerted when they receive an unsigned email, supposedly from their superior, asking them to urgently buy vouchers from an online store or trigger other financial transactions, by-passing all the usual processes.
End-to-end encryption
If the sending and receiving sides have email certificates and have exchanged the public keys of their certificates, they can encrypt their email traffic. Emails secured in this way can only be read with the help of the private keys of the parties involved. If the private keys are stored securely, it is practically impossible for such emails to be read by unauthorised persons.
Manage email certificates securely
Similar to seals or identity cards, the private keys of the certificates must not fall into unauthorised hands or get lost. They need to be managed safely. IT Services offer a service for obtaining and securely managing email certificates (Public Key Infrastructure, PKI). The offer includes personal certificates and certificates for group mailboxes.
- Check the recipient list before clicking the send button.
- Be aware: After sending, you have no control over your emails. You don't know if they are copied and/or forwarded.
- If you have several recipients, use the address field "BCC" (English for Blind Carbon Copy) instead of "CC" if you do not want the remaining recipient addresses to be visible to everyone.
- Do not forward chain mails.
Confidential information may only be sent by email if it is encrypted. There are different ways to do this:
- Send confidential information in a password-protected ZIP archive as an attachment to the actual email.
Transmit the password via different channel, e.g. by SMS. - If you and the recipient have a certificate for email encryption, use them for "end-to-end encryption".
- If you are sure the transport connection to the target system is encrypted and if transport encryption is sufficient for you, you can send the email without additional measures.
- Check the return address: Does it match the name displayed?
- Distrust emails you receive unsolicited and which come from unknown sources or persons.
- If you suspect that an unjustified request has been sent to you by email, reject it or contact the alleged sender by phone. Talk to your IT specialists if you are unsure.
- Do not click on links or open attachments in suspicious emails.
- Do not open "exe" files and other executable file formats. Be careful with all other file attachments, especially if you don't know the sender.
- Does the Word document you just received contain a macro and a prompt to activate it in order to view the document? Do not do this under any circumstances.
- If an email seems suspicious to you, do not hesitate to ask your ISG or ID Service Desk.
- If you receive many suspicious emails at once, please inform your IT support as soon as possible.
Many tactics allude to emotions using well-known social engineering techniques.
Remarks such as "You must click on this link to reactivate your account within 24 hours" or "Your account is blocked" are used to create fear and exert pressure.
Illogical decisions are made under pressure. If you feel that the originator of the email is trying to pressure you emotionally, you may be being phished.
These can be signs of phishing emails:
- Emails that demand action and threaten consequences (such as loss of money, criminal charges, account or card blocking) are usually phishing attacks.
- Respectable service providers never require their customers to provide passwords or credit card details by email or telephone.
- Spelling and grammar errors: Phishing emails often contain incomplete sentences or are not translated correctly.
- Delivery time: Phishing emails are often sent at an unusual time.
- Demands: The sender exerts time or moral pressure.
- Content: You are asked to perform an unusual actions. For example, the sender demands that you reveal your passwords or other personal data.
- Salutation: You are addressed by your name.
- URL: The URL is not the expected path. Use "mouse over" to check linked URLs before you click on them.
Even correctly formulated emails can be phishing attacks.
Legitimate website
If an email causes you to visit a website, make sure that you landed on the legitimate website before you enter any data.
- Is the URL of the website correct?
- Phishing links are "disguised" to look like a link to a login page: e.g. "https://password.ethz.ch".
- Often the text in the URL is slightly changed, e.g. "https://password.ehtz.ch".
- The URL points somewhere else: For example, "https://password.ethz.ch.free.fr"
- If you move your mouse over the link without clicking (hovering) and another, long domain name appears, this may be a phishing attempt.
- Is it an encrypted connection (https)?
- Is the SSL certificate of this website a valid certificate?