How to stay safe online: Communicate
ACCORDING to DotEveryone, 19% of UK adults - an estimated 10.4 million people - don't have basic online skills such as being able to send and receive emails, browse the web for information, shop online or use social media sites.
Aside from issues of access, financial constraints and disability, some of the main reasons people haven't got online are a lack of confidence or know-how, and fears about security.
In this three part series we'll look at each of the main basic online activities in terms of their potential dangers, what we need to do to stay safe and the free help and protection available to users.
We'll be covering:
- Communicate: sending and receiving emails
- Find things: browsing the web safely
- Share personal information: shopping online and using social media
Figures suggest that somewhere in the region of 205 billion emails were sent every day in 2015; nearly 2.6 billion (about a third of the Earth's population) use email. We think that makes it a pretty important skill to learn.
Not only does having an email address make it possible to send and receive our share of those billions of messages, but it's more or less fundamental to most other online activities too, from online banking to opening a social media account.
Unfortunately, according to Cisco's Annual Cybersecurity Report 2017 spam makes up almost two thirds of total email volume, with around 75% of spam emails containing some kind of malicious attachment.
To use email safely and effectively then, it's important to learn how to recognise spam, as well as what preventative measures we can take to help protect our personal details and computer.
Phishing and scams
Unexpected and malicious attachments can be relatively easy to spot and stop, as we'll explain below, but there's another threat that's more difficult to distinguish at first - and sometimes second and third - glance: the phishing email.
These are spoken about in relation to identity theft and fraud, and although phishing is far from the most common form of email spam - Symantec say it accounts for just 1% of spam email - we only need to fall for one phishing expedition to pay heavily.
Research carried out for the Norton Cyber Security Insights Report [pdf] found that 38% of Britons couldn't identify a phishing email for definite.
They work by pretending to be from trusted sources such as our bank or online store we use regularly, with the aim of getting us to click on a link to confirm our account details, or simply to login.
But anyone who does click will be entering their account details into a fake website, which the spammers can then exploit fraudulently. The fake site may also download malware onto our computer.
Malware is like a computer virus. But it specifically looks for personal information, such as passwords and bank details, to send back to the spammers. They may then sell on or use the information for fraud.
Here's an example of a replica bank email being used for phishing:
This is just an example, but in the UK it's common to receive similar emails purporting to be from legitimate sources such as HSBC, NatWest, Santander or even The Co-operative Bank.
It's also the case that many such emails appear to come from banks other than those we actually use; for example getting a message from HSBC when we bank with Nationwide.
It's rare, although not impossible, for spammers to know who we actually bank with, so they often rely on a scattergun approach to find victims.
Other common tricks to try to mask their spam status include:
- Using a subdomain or similar looking domain name, for example www.natwest.cu.com or www.natwestcu.com. This is also known as "typo-squatting"
- Hiding fake URLs (web addresses) behind linked image buttons or text links, like "click here" or even "www.natwest.com"
- Masking the email address the message was sent from, i.e. using a legitimate email address, like "firstname.lastname@example.org", in the sent from field
While these tricks may seem sophisticated and hard to spot, we can also keep an eye out for things that are much more difficult to fake. We look at some of these below.
What help is available
First though, before setting up an email account and composing our first email, it's vitally important to install some kind of anti-virus software.
Anti-virus programs spot malicious content in both the body of the email as well as any attachments, and in the other computer programs we download and use, so they're a critical line of defence against a large proportion of the threats we face.
There are plenty of highly rated free anti-virus programs out there, and often it's these free versions the most computer literate - read IT geeks - turn to.
PC users are often recommended programs such as AVG Free; Mac OSX users can turn to providers such as Sophos for an anti-virus solution.
Both of these programs are free to download and will keep themselves updated against the latest threats without additional costs.
Some ISPs offer free access to anti-virus programs such as those provided by McAfee for a certain period of time - often for a few months or up to a year, and in some cases for as long as we remain with that ISP.
But do check how long these programs are provided free of charge, as subscriptions to renew - and keep the program up to date - can cost varying amounts after the first year or so.
Paid Internet security programs do have their place (they can offer more features), but if budget constraints are an issue when it comes to getting online, we think it can be better to start with a long-term free solution that will continue to offer up to date protection against viruses and malware.
The major web-based mail providers automatically provide their own anti-virus protection, but note that this isn't a substitute for installing an anti-virus program on each of our computers and devices - including our smartphones.
Gmail, from Google, offers a comprehensive anti-virus system, to protect users and to help prevent viruses spreading. Gmail automatically scans all our incoming and outgoing emails, including attachments, and notifies us of any problems prior to us opening them. It's speculated that Gmail uses anti-virus software from Sophos.
Yahoo! Mail automatically scans and cleans all our incoming and outgoing emails using Norton anti-virus. They claim to block more than 15 billion spam messages a day.
Outlook.com, formerly known as Hotmail, uses Microsoft SmartScreen to protect against spam, viruses, and malware.
All three providers also use machine learning to filter out probable junk messages. Users can help them improve by marking any junk mail they receive as such, or by "whitelisting" non-spam messages so they always come through.
That might mean having to look in the junk or spam folders every now and then. Some legitimate mail will sometimes end up there, but checking and marking mail from trusted senders as "not junk" will help the filters learn what is and isn't spam.
Email clients installed directly on a computer, such as Outlook or Mail for Mac, offer similar junk mail filters, but they won't scan for viruses unless the computer has a separate anti-virus program installed and set up correctly.
One of Outlook.com's security features is the "alias email" tool, which allows users to create a dummy email address.
Emails sent to the alias address are filed separately, and if the address becomes subject to too much junk mail, it can be cut off without affecting the main address.
It also adds security too: it's only possible to log into Outlook.com using the main email address, so no one who gets hold of the dummy address will be able to access the account.
What you need to do
As we've seen, there are lots of companies offering free support to help improve our security when sending and receiving emails.
However, it's also important to be aware of the steps we need to take ourselves to remain protected.
Here are some tips to stay safe when emailing.
It's one of the most important things to do, so we'll mention it again here. Make sure to protect every computer and device you use with an up to date anti-virus program.
Filter junk mail
Most email clients will have junk mail filtering turned on by default. But there are often different settings and levels of protection. Make sure junk mail filtering is turned on and experiment a little with the different levels to find the right balance .
Then, as mentioned above, it's worth marking the emails we receive as "junk" or "not junk" to help improve the filtering on our account by identifying the senders we know to be safe - or suspicious.
Turn off previewing
Some mail clients allow us to preview emails before we fully open them. Generally this is bad idea as it removes some of our control.
Both spam and genuine marketing messages often contain tracking images or "web beacons" which, when displayed - even in preview only - tell the sender that an email address is active, thus attracting more spam.
Turning off previewing - and turning off automatic downloading of images in emails - will help prevent spammers from receiving that notification and help keep us safe. If an email is from a genuinely safe sender, it'll only take a couple more clicks to open the message and download any images we need to see.
Should you 'bounce' emails?
Some mail clients, Mail for Mac is one, have a "bounce" feature that sends a message back to the sender saying that the message couldn't be delivered as the delivery address doesn't exist.
The feature is designed to put spam senders off the track and reduce repeat mails.
However, the usefulness of bouncing spam emails is debatable.
For it to work, it requires the sender or spambots to be actively interested in weeding out invalid email addresses.
But because of the way many spammers and spam bots work - with as much as 90% of spam originating from fewer than a dozen bots sending out high volumes of spam messages in short bursts from a different setup each time - that seems unlikely.
Don't take the sender's address at face value
It's actually very easy for spammers to put whatever they like in the "sent from" field when sending an email via a computer script.
In other words, when trying to work out if an email is spam or legitimate, don't assume the sender's address is telling the truth.
Take, for example, that message from the bank asking us to login or verify your details.
We can check where it really originated from by looking at the email headers: look for the "X-Originating-IP" field, or if that's not present, the "Received" header. These both show the path the email has taken, and neither can be faked.
What we're looking for here is the originating IP address. It's the only value within the "X-Originating-IP" field, but in the "Received" field we may have to trace it back to find the first IP. That's easier than it sounds - at one end will be our IP address, and at the other the originating IP address.
Once we've got this IP, run a check on it using a tool like this one, which will reveal the location details to the nearest city.
If that result sounds iffy - perhaps it returns Krasnoyarsk, Russia - it's highly unlikely the email is genuinely from our bank.
We checked three spam mails using the WhatIsMyAddress.com IP Lookup tool mentioned above and found they were coming from Istanbul in Turkey, Dallas, Texas, and Warszawa in Poland.
Don't click links in emails
Unless we know for sure an email message is trustworthy, it's always best to avoid clicking on links in emails - particularly if there's any suspicion about its origin.
Hiding fake web addresses in images or text links is an easy way to fool people into clicking links that end up taking us somewhere else.
Often mail clients will display the full address lurking behind a link: hover the mouse over the link for a short period and a small "tool tip" or message box should reveal the actual destination.
Another, slightly more complicated way to check where a link is really pointing is to view the html source of the email.
But the best rule is to never to click, and instead always type the web address for our bank or any other site manually into our browser.
When we don't know the web address, search for the company name in a reputable search engine like Google, Yahoo! or Bing.
Look at the search results to make sure the site we're visiting is the right one; brand names rarely use anything other than just their name. For example, Amazon is always going to be www.amazon.co.uk, while NatWest will always be www.natwest.com.
Keep your email address under wraps
Lastly, be careful with your email address. The aim is to do what we can to prevent our address being picked up by spammers in the first place.
Here are some of the main ways email addresses get into the hands of spammers:
- Automated robots scan the Internet for email addresses to use. To protect against this, never post an email address to personal websites or blogs. Use a contact form instead. The same goes for social media: we should hide our page from search engines and people we aren't connected with anyway (see below for more on this), but then it's better to be extra cautious and keep our email address private. Communicate using instant messaging in Facebook, or direct messages on Twitter, for example.
- As mentioned, try to avoid opening junk mail wherever possible. It can tell the sender our email address exists, which leaves us open to being sent even more junk.
- Be careful when entering email addresses into website forms, as some sites can be unscrupulous with our details, and it's not always obvious which these are. Check privacy policies when signing up for newsletters, opening accounts or buying goods online - look for anything suggesting they reserve the right to sell or otherwise distribute our information, including our email addresses. Most reputable companies won't do this, and they'll make it clear that they don't. If unsure, play it safe and go elsewhere.
Other email scams
As we mentioned, phishing only makes up around 1% of all spam emails - which means being vigilant against the other 99%.
Advertising for pharmaceutical products has traditionally made up the bulk of spam mail although the proportion has dropped considerably in the past few years.
An increasing amount of spam includes adult and dating content, with ads for fake goods, replica sites (similar to phishing), casinos and weight loss offers also common.
Seasonal or topical spam emails are common too. PPI compensation scams, for example, have been widespread in the past few years, and offers of tax rebates from HMRC also follow seasonal patterns.
Scam emails generally try to trick the recipient into replying, and then disclosing personal information such as their name and address. Often once an initial reply has been made, further requests will start to come in, asking for more information and often money.
Some typical scams to watch out for include:
- "You have won the lottery, please send us your details." Following up on these messages will often reveal that money needs to be paid upfront to release the winnings - which of course never materialise.
- "We need a business partner to help us export this money out of X foreign country, we'll give you 50% for doing so." Again, as soon as we reply they'll likely start asking for money upfront.
- "We need someone to claim this person's estate/inheritance, if you do it you can keep 50%." It's a similar story here, and again it's really best not to reply to these types of mails.
Generally speaking, the old adage that if it sounds too good to be true it usually is, certainly applies to spam.
Another point to remember is best illustrated by the following:
In May 2012, Symantec reported that the seventh most popular spam subject line coming out of India was "Warning - You may not be protected by Norton. Update Now".
The message sent users to a site that downloaded malware onto their computer. This highlights a few things.
Firstly, it was possible to detect the email had been sent from India - so it was highly unlikely to actually be from Norton.
Second, it's important to be constantly vigilant, as even emails purporting to offer security protection can be replica spam mails - indeed, in March 2017, Action Fraud UK reported an upward trend in emails claiming to be from anti-virus providers looking to exploit nervous and new computer users.
The main take-home is not to download software unless we're completely sure where it comes from.
Just like genuine banks won't ask us to log in via a link in an email, software and operating system updates should never require an email prompt or link; they'll always run from the programs themselves.
When in doubt, visit the site independently by manually typing the URL into the browser, and check for updates that way.
One final word of warning: spammers generally aren't nice people like you or I, and they will play on emotions and vulnerabilities, so don't be fooled.
In 2011, Pingdom.com reported that in the aftermath of the Haiti earthquake, spam emails were sent out in bulk requesting donations to help the people of Haiti. Of course, the emails and the websites taking the money were all fake.
As Pingdom said "If you ever thought spammers as a group had any scruples whatsoever, that should set you straight."
Continue to the next section to find out how to stay safe when browsing the web for information.