Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
This is a document that I researched and posted for a college. Please share with your users.

Safe Email Tips

Our email inbox is a "lifeline" of sorts to the world. Email is what we use to communicate with our peers and students. It's how we send proposals and request. And how we receive assignments.

Avoiding email is not a realistic proposition as email is often our primary focus when computing. Email is a primary attack vector to our personal data and computer systems. Email based computer attacks can be especially devastating whether the attacker is a malicious person or program (virus, worm, etc.).

We would like to offer a few tips on how to email safely.

Never Share Your Password

Email administrators should not ask for your password. Email administrators can reset your password if they need access to your account for trouble-shooting or problem solving. As a rule, never give out your email password.

Scan Your Unopened Messages

Take a moment to look through the list of messages. Note strange looking sender names or odd subject lines. Look for random-looking numbers, too much space, or anything out of the ordinary.

Don't open any suspicious email - not even with the preview pane. Just delete it.

Opening malicious email (even with the preview pane) will often download images and scripts from the internet. That is a powerful vector of attack.

Avoid Clicking on Links

Outlook displays email formatted as HTML by default. This makes for beautiful newsletters, but can also hide the target URL (universal resource locator) of text.

For example, the email message may state "Click Here to enroll with the early bird savings!!!!" The words you see in email are "Click Here" but when you click it may take you to a malicious site (e.g.,

Be wary of email messages about services you use. Malicious sites are often similar to URL's you may know or expect: Amazzon, Wllamart, Yahooo, Chaase, etc. The malicious sites can compromise your computer when they load code in your browser that takes advantage of exploits in the browser, the computer, or plugins (java, flash, adobe reader, etc.).

One way to protect against this is simply to not click on any links you aren't expecting and are not from someone you know. You can hover your mouse cursor over links to see the target URL. You can right-click on the hyper-text and copy the link, then paste it into your browser if you are sure it's OK.

You can also view all of your email as plain-text.

Avoid Opening Unexpected Attachments

Do not open an attached file that you aren't expecting even if it is from someone that you know. Attachments must always be opened with care.

Opening a file on your computer allows malicious code to execute directly on your system with your level of privileges. A malicious person can have immediate access to your computer and all of your files.

For example, if you ask your students to email in Word attachments for their term paper, open those attachments from those students.

You can avoid attachments altogether by using an online service and asking students to send you the link (see above for best practices about links).

Using Google Drive

You can create documents on Google Drive and use the "Share" button to send a link to that document.

Using Dropbox

Students using dropbox (or any number of other file storage services) can upload their word document and send you a "share" link that you can then copy from your email and paste into your browser to download.

Sending links to documents instead of attaching them to messages helps keep your inbox faster as well.

The prominent security firm, RSA, was attacked and many costly secrets were lost when someone opened a malicious excel file (

Web services such as Honey Docs allow their users to track your IP address and other information when images or documents are loaded (

Avoid Sending Personal or Private Information

Avoid sending user names and passwords in email messages, especially with the accompanying URL. One approach is to send the URL and username via email and then send the password from another system (not email). You could call the person, send them an instant message, or a text message.

Never send unencrypted documents that contain your personally identifiable information. This includes your SSN, address, etc.

Email sent off campus is stored on external servers and may be viewed by people you aren't expecting to view them.

It is safe to consider that any email message you send is a public document and any attachments are for the world to see. This is not hyperbole. The campus can only control email within our own systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment