How to stay safe online: Communicate
ACCORDING to Go ON UK, one in five British adults still don't have basic online skills such as being able to send and receive emails, browse the web for information, shop online or use social media sites.
Amongst financial constraints and disability, some of the main reasons people aren't going online are confidence, know-how and fear of security.
In this three part series we'll look at each of the main basic online activities in terms of their potential dangers, what you need to do to stay safe and the free help that is available to protect you as well.
We'll be covering:
- Communicate: sending and receiving emails
- Find things: browsing the web safely
- Share personal information: shopping online and using social media
Figures suggest 196.3 billion emails are sent every day around the world., and according to an Ipsos poll, 85% of global Internet users use email. We think that makes it a pretty important skill to learn.
Not only are there a lot of emails being sent though, having an email address is more or less fundamental to most other online activities too, from online banking to opening a social media account.
Unfortunately, in February 2015 Symantec [pdf] reported that 54% of all that email traffic was in fact spam.
Furthermore, they say that one in every 237 emails contained some kind of virus.
To use email safely and effectively then, it's important to learn how to recognise spam, as well as the preventative measures you can take to help protect your personal details and your computer.
Phishing and scams
According to Cisco's 2013 annual security report [pdf], the biggest danger of spam emails isn't in attachments, but in the email messages themselves.
"In modern email, links are king. Spammers design their campaigns to convince users to visit websites where they can purchase products or services. Once there, users' personal information is collected, often without their knowledge, or they are compromised in some other way." The report highlights.
The report reveals how just 3% of spam emails have an attachment - compared with 25% of legitimate emails.
Scams and fake advertising make up the bulk of all spam emails sent. Phishing and replica emails are another type of email spam, often spoken about in relation to identity theft and fraud.
Phishing is far from being the most prevalent form of email spam - in fact Symantec say it usually accounts for between 3% and 8% of spam emails - but like replica emails or websites, it can be one of the hardest to spot.
Phishing emails often pretend to be from trusted sources such as your bank, and aim to get you to click on a link to confirm your account details, or simply to login.
But anyone who does click will be entering their online banking details into a fake website, which the spammers can then exploit fraudulently. The fake site may also download malware onto your computer.
Malware is like a computer virus. But it specifically looks for personal information, such as passwords and bank details, to send back to the spammers. They may then sell on or use the information for fraud.
Here's an example of a replica bank email being used for phishing:
This is just an example, but in the UK it's common to receive similar emails purporting to be from legitimate sources such as HSBC, Natwest, Santander or even the Co-op.
It's common for people to receive emails from banks other than those they actually use; for example getting a message from HSBC when you bank with Nationwide.
It's rare, although not impossible, for spammers to know who you actually bank with, so they often rely on a scattergun approach to find victims.
Other common tricks to try to mask their spam status include:
- Using a subdomain or similar looking domain name, for example www.natwest.cu.com or www.natwestcu.com. This is also known as 'typo-squatting'
- Hiding fake URLs (web addresses) behind linked image buttons or text links, like "click here" or even "www.natwest.com"
- Masking the email address the message was sent from, i.e. using a legitimate email address, like "firstname.lastname@example.org", in the sent from field
While these tricks may seem sophisticated and hard to spot, you can also keep an eye out for things that are much more difficult to fake. We look at some of these below.
What help is available
First though, before setting up an email account and composing your first email, it's pretty important to install some kind of anti-virus software.
There are plenty of highly rated free anti-virus programs out there, and often it's these free versions the most computer literate - read IT geeks - turn to.
PC users are often recommended programs such as AVG Free; Mac OSX users can turn to providers such as Sophos for an anti-virus solution.
Both of these programs are free to download and will keep themselves updated against the latest threats without additional costs.
Some ISPs offer free access to anti-virus programs by McAfee for a certain period of time - often for a few months or up to a year, and in some cases for as long as you remain with that ISP.
But do check how long these programs are free for, as subscriptions to renew - and keep the program up to date - can cost varying amounts after the first year or so.
Paid Internet security programs do have their place (they can offer more features), but if budget constraints are an issue when it comes to getting online, we think it can be better to start with a long-term free solution that you know will continue to offer up to date protection against viruses and malware.
The major web-based mail providers automatically provide their own anti-virus protection, but note that this isn't a substitute for installing an anti-virus program on your computer.
Gmail, from Google, offers a comprehensive anti-virus system, to protect you and to help prevent viruses spreading. Gmail will automatically scan all your incoming and outgoing emails, including attachments, and notify you of any problems prior to you opening them. It's speculated that Gmail uses anti-virus software from Sophos.
Yahoo! Mail automatically scans and cleans all your incoming and outgoing emails using Norton anti-virus. They claim to block more than 15 billion spam messages a day.
Hotmail, from Microsoft, uses Symantec Brightmail (the company behind Norton) to protect against viruses and malware.
All three providers also use machine learning to filter out probable junk messages. Users can help them improve by marking any junk mail you see as such, or by "whitelisting"non-spam messages - so they always come through.
That might mean having to look in the junk or spam folders every now and then. Some legitimate mail will sometimes end up there, but checking and marking mail from trusted senders as "not junk" will help the filters learn what is and isn't spam.
Email clients installed directly on your computer, such as Outlook or Mail for Mac, offer similar junk mail filters, but they won't scan for viruses unless the computer has a separate anti-virus program installed and set up correctly.
One of Hotmail's security features is the "alias email" tool, which allows users to create a dummy email address.
Emails sent to the alias address are filed separately, and if the address becomes subject to too much junk mail, it can be cut off without affecting your main address.
It also adds security too: it's only possible to log into Hotmail using the main email address, so no one who gets hold of the dummy address will be able to access your account.
What you need to do
As we've seen, there are lots of companies offering free support to help improve your security when sending and receiving emails.
However, it's also important to be aware of the steps you need to take yourself to remain protected.
Here are some tips to stay safe when emailing.
It's one of the most important things to do, so we'll mention it again here. Make sure to protect your computer with an up to date anti-virus program.
Filter junk mail
Most email clients will have junk mail filtering turned on by default. But there are often different settings and levels of protection. Make sure junk mail filtering is turned on and check you're happy with the level of settings.
As we've already mentioned, you can then mark the emails you receive as "junk" or "not junk". This helps to improve the filtering on your account by identifying senders you know to be either safe or suspicious.
Turn off previewing
Some mail clients allow you to preview emails before you fully open them. Generally this is bad idea as it removes some of your control.
Spam messages often contain tracking images or "web beacons" which, when displayed - even in preview only - tell the sender that an email address is active, thus attracting more spam.
Instead, turn off previewing and only open emails you know are safe.
Should you 'bounce' emails?
Some mail clients, Mail for Mac is one, have a 'bounce' feature that sends a message back to the sender saying that the message couldn't be delivered as the delivery address doesn't exist.
The feature is designed to put spam senders off the track and reduce repeat mails.
However, the usefulness of bouncing spam emails is debatable.
For it to work, it requires the sender or spambots to be actively interested in weeding out invalid email addresses.
But because of the scattergun approach of many spammers, and the rate at which spambots operate (according to Trustwave the vast majority of spam is sent by just a few spambots) that seems unlikely.
Don't take the 'sent from' address at face value
It's actually very easy for senders to put whatever they like in the 'sent from' field when sending an email via a computer script.
In other words, when trying to work out if an email is spam or legitimate, don't assume the sent from address is telling the truth.
Take, for example, that message from the bank asking you to login or verify your details.
You can check where it really originated from by looking at the email headers: look for the "X-Originating-IP" field, or if that's not present, the "Received" header. These both show the path the email has taken, and neither can be faked.
What you're looking for here is the originating IP address. It's the only value within the "X-Originating-IP" field, but in the "Received" field you may have to trace it back to find the first IP. That's easier than it sounds - at one end will be your IP address, and at the other the originating IP address.
Once you've got this IP, run a check on it using a tool like this one, which will tell you the location details to the nearest city.
If that result sounds iffy - perhaps it returns Krasnoyarsk, Russia - it's highly unlikely the email is genuinely from your bank.
We checked three spam mails using the WhatIsMyAddress.com IP Lookup tool mentioned above and found they were coming from Istanbul in Turkey, Dallas, Texas, and Warszawa in Poland.
Don't click links in emails
Unless you know for sure an email message is trustworthy, it's always best to avoid clicking on links in emails - particularly if you have any suspicions about its origin.
Hiding fake web addresses in images or text links is an easy way to fool people into clicking links that end up taking you somewhere else.
Often mail clients will display the full address lurking behind a link: hover your mouse over the link for a short period and a small "tool tip" or message box should reveal the actual destination.
Another, slightly more complicated way to check where a link is really pointing is to view the html source of the email.
But the best rule is to never to click, and instead always type the web address for your bank or any other site manually into your browser.
If you don't know the web address, search for the company name in a reputable search engine like Google, Yahoo! or Bing.
Look at the search results to make sure the site you're visiting is the right one; brand names rarely use anything other than just their name. For example, Amazon is always going to be www.amazon.co.uk, while Natwest will always be www.natwest.com.
Keep your email address under wraps
Lastly, be careful with your email address. The aim is to do what you can to prevent your email address from being picked up by spammers in the first place.
Here are some of the main ways your email gets into the hands of spammers:
- Automated robots scan the Internet for email addresses to use. To protect against this, never add your address to personal websites or blogs. Use a contact form instead. The same goes for social media: you should hide your page from search engines and people you aren't connected with anyway (see below for more on this), but then it's better to be extra cautious and keep your email address private. Communicate using instant messaging in Facebook, or direct messages on Twitter, for example.
- As mentioned, try to avoid opening junk mail if you can. It can tell the sender your email address exists, which will leave you open to being sent even more junk.
- Be careful when entering your email address into website forms, as some sites can be unscrupulous with your details, and it's not always obvious which these are. Check privacy policies when signing up for newsletters, opening accounts or buying goods online, to find out if they reserve the right to sell or otherwise distribute your email address. Most reputable companies won't do this, and they'll make it clear that they don't. If you're unsure, play it safe and go elsewhere.
Other email scams
As we mentioned, phishing only makes up around 3% of all spam emails, so you'll also need to be vigilant against the other 97%.
Advertising for pharmaceutical products and fake goods have traditionally made up the bulk of spam mail.
Other spam emails can include adult and dating content, replica sites (similar to phishing), casinos and weight loss offers.
Seasonal or topical spam emails are common too. PPI compensation scams, for example, have been widespread in the past few years.
Meanwhile there's been something of a resurgence for the good old scam email. Trustwave Statistics reported that in January 2015 around 85% of the spam their monitors intercepted was made up of such mail.
Scam emails generally try to trick the recipient into replying, and then disclosing personal information such as their name and address. Often once an initial reply has been made, further requests will start to come in, asking for more information and often money.
Some typical scams to watch out for include:
- "You have won the lottery", and please send us your details. Following up on these messages will often reveal that money needs to be paid upfront to release the winnings - which of course never materialise.
- "We need a business partner to help us export this money out of X foreign country, we'll give you 50% for doing so." Again, as soon as you reply they'll likely start asking you for money upfront.
- "We need someone to claim this person's estate/inheritance, if you do it you can keep 50%." It's a similar story here, and again it's really best not to reply to these types of mails.
Generally speaking, the old adage that if it sounds too good to be true it usually is, certainly applies to spam.
Another point to remember is best illustrated by the following:
In May 2012, Symantec reported that the seventh most popular spam subject line coming out of India was "Warning - You may not be protected by Norton. Update Now".
The message sent users to a site that downloaded malware onto their computer. This highlights a few things.
Firstly, it was possible to detect the email had been sent from India - so it was highly unlikely to actually be from Norton.
Second, it's important to be constantly vigilant, as even emails purporting to offer security protection can be replica spam mails.
But the main take-home is not to download software unless you're completely sure where it comes from.
Just like genuine banks won't ask you to log in via a link in an email, software and operating system updates should never require an email prompt or link; they'll always run from the programs themselves.
When in doubt, visit the site independently by typing the URL into your browser manually, and check for updates that way.
One final word of warning: spammers generally aren't nice people like you or I, and they will play on emotions and vulnerabilities, so don't be fooled.
In 2011, Pingdom.com reported that in the aftermath of the Haiti earthquake, spam emails were sent out in bulk requesting donations to help the people of Haiti. Of course, the emails and the websites taking the money were all fake.
As Pingdom said "If you ever thought spammers as a group had any scruples whatsoever, that should set you straight."
Continue to the next section to find out how to stay safe when browsing the web for information.