–Create an e-mail account at an established internet service like Gmail or Yahoo, and use their mailbox service. This approach gives you an e-mail address [email protected] or [email protected] that ends with the domain name of the service you are using.

–Establish your own mailbox service on a mail server you operate, which enables you to create any e-mail addresses you want, including multiple e-mail addresses. These e-mail addresses can include name1@yourdomain, name2@yourdomain, name127@yourdomain, and anything and everything in between.

–Use good password practices. Consider the guidance in “Chapter 4: Protecting Your Passwords” about creating and maintaining strong passwords and rotating them regularly. When you access your e-mail from untrusted devices like friends’ computers, coworkers’ computers, or kiosk computers, you should assume the computer is compromised and everything you are doing is being recorded. Access as few accounts as possible and change your passwords afterward from a trusted computer or device.

–Turn on multifactor authentication. If possible, enable multifactor authentication, which requires that you use a trusted computer to access your e-mail, or that you authorize access from a trusted device like your cell phone or your home phone. Note that multifactor authentication may not be compatible with older versions of e-mail clients like Microsoft Outlook, Android, or MacOS. You may have to do some testing to make sure everything works acceptably well.

–Check the password reset mechanism. Attackers who want access to your e-mail may try to get in through the password reset mechanism. Since your e-mail account can not send a password reset message to itself, this situation means there will be a dependency on another e-mail account, or a mobile device or telephone. Set up your e-mail password reset so it does not make your account more vulnerable to attack. If you have multiple e-mail accounts, configure them to back each other up, or to depend on access to a trusted telephone number. Make sure all these mechanisms are protected by different strong passwords!

–Watch for unauthorized logins. In some e-mail clients like Gmail and Hotmail, you can check your account for login activity and recent security events like password resets. Use these tools periodically—maybe once a month—to make sure your accounts remain secure. Some tools can even tell you where in the world access attempts came from.

–Watch your junk and deleted e-mail folders. Depending upon your e-mail application, malicious e-mails may get automatically detected and routed to your junk mail folder. Also, when attackers attempt to cover up their tracks, they may accidentally leave messages in your deleted e-mail folder. Periodically check both folders for suspicious activity. In your junk e-mail folder, you want to watch for e-mails that appear to be legitimate or appear to be from businesses you use or people you know. Such e-mails may indicate the businesses or people have been compromised or are being used to target you with phishing or spear phishing attacks. In your deleted e-mail folder, look for messages you did not delete. If those messages are related to password resets, account access, or logins to your accounts, you may have a problem. You should access your accounts to check for unauthorized transactions, password resets, or other activities you do not recognize. Contact your account holders (e.g., bank, credit card company) and inquire about such activities and reset your account accesses with strong passwords.

–Check your account. As previously mentioned, the website www.haveibeen-pwned.com checks your e-mail account against a number of publicly available databases to see if there are signs that account has been compromised or its password may have been made available to hackers. This functionality is so useful that it has been integrated into the Firefox web browser. If you find evidence your account has been pwned (this means your password has been owned, hence pwned) make sure you change your password immediately and keep a vigilant eye on all your accounts for possible malicious behavior.

–Be prepared to reset your account. If you find a sign that one of your e-mail accounts has been compromised or is under active attack, be prepared to reset your account. Resetting your account involves the following actions:

• Make sure you can logon to the account.
• Change your password.
• Update the password on all your devices and any password managers you use.
• Make sure the updated password is not used on any of your other accounts, and if so update them as well.
• Double-check your password reset mechanism and its dependencies.
• Keep a vigilant eye on all your accounts and activity for 30–90 days.

–Watch out for unexpected offers. The first sign of potentially malicious e-mails are e-mails that are unexpected, or present offers that are “too good to be true.” E-mails might say you need to click on a link to get money, or the attachment contains an invoice you need to read, or you need to install a program to safeguard your computer. If you were not expecting an e-mail notification or did not expect to get an e-mail with a document attached to it, the e-mail may be fraudulent.

–E-mails telling you to act urgently. Another theme of malicious e-mails is they usually contain some pressure to act. Attackers may have to move quickly to stay ahead of authorities (and antimalware). If an e-mail is telling you to act now, resist the temptation and wait a bit.

–E-mails claiming to be an authority. Malicious e-mails frequently claim to be an authority or other legitimate organization. They may claim to be from the IRS, the FBI, the police, a bank, a store, or a shipper. A particularly effective technique is to tell people they have a package and need to click on a link to arrange delivery. While an offer of money is usually too good to be true, what if you really did receive a package? Shippers usually have other ways to legitimately contact you, or to let you know the status of your shipment.

–Links to unexpected places. Links in malicious e-mails seldom go to legitimate destinations. Hover over links without clicking on them to make sure they are what they appear to be. For example, a link from your bank should point to the bank’s website and not some other site. If you get an e-mail from [email protected] that contains a link to www.a1.com and you have never heard of “a1.com” then it may well be fraudulent. If you get an e-mail claiming to be from [email protected] but then the link points to www.a1.com you have even more reason to be suspicious. Hover over links and look at the web address. If the link does not start with a legitimate website that matches the e-mail address of the sender and is from an organization with which you do business, it is likely fraudulent.

–Disguised attachments. Another trick attackers use is to disguise malicious attachments as innocent-sounding documents. One way to disguise attachments is to give the documents names that include an extension for an Adobe PDF document, word processing document, or spreadsheet, but have an executable extension. Executable extensions include JavaScript (.JS), AppleScript (.SCPT) batch files (.BAT), command files (.COM), and program executables (.EXE). Depending on the configuration of your computer, you may not see the filename extension for the executable, but you may see that the icon for the document is not a document icon. Save attachments to your hard drive to examine them make sure they are what they appear to be. Documents should appear to be documents, not programs. At this point, you can also have your antimalware software scan the document, if such a feature is available. To open the document, open up the appropriate application and use it to open the document, rather than “double-clicking” to open the document from the operating system. Legitimate documents should not request to install anything when they are opened.

–Application attachments. A favorite attack technique is to get the victim to simply install malware. Even if the attachment is obviously a program, a small percentage of victims will install it. Attackers know they can e-mail a million users and still get thousands of “hits.” Be very, very, cautious when you are directed to install software by some sort of online message. There is almost no legitimate reason why someone should e-mail you a program, unsolicited. Do not install or run application attachments unless you know exactly where they came from and why they had to be sent via e-mail. If you need to install software, it is much better to go to the vendor’s website or the app store and install the software from there.

–Unusual e-mails from people you know. Phishing and spear phishing involve sending you e-mails that have been crafted to sound legitimate, and appear to be from people whom you know. Such “legitimate” e-mails are designed to increase the chances of you clicking on links, giving up your credentials, or installing malware. Spear phishing attacks use internet databases to target you personally, either from your personal address book, your social media contacts, or from other people with whom you have connections. Attackers may send e-mail using your name, your friends’ or acquaintances’ names, or even appearing to be from their e-mail addresses as well. If a message does not make sense, attempt to contact the sender using some other method—like a phone call—to see if it is legitimate.

–Application install prompts. When reading e-mail, you should be reading messages, opening documents, and going to websites. You are not installing software! If a software installation prompt pops up while you are reading your e-mail, you have likely stumbled into something malicious. Stop what you are doing, click “cancel,” and do not proceed further. At work, you should report the suspicious e-mail to your internal computer support personnel and follow their instructions. At home, if you are using Microsoft Outlook, you should move the suspicious e-mail to your Junk E-mail folder, block the e-mail, empty the Junk E-mail folder, and then empty the Deleted Items folder. Alternatively, you can delete the suspicious e-mail and then empty the Deleted Items folder.

–Typos. While e-mail attacks continue to get more sophisticated, their creators are only human, frequently in a hurry, and are often language-challenged. Typos, misspellings, and awkward phrasing are signs the e-mail message is phishing, rather than a legitimate message.

–Nonspecific greetings. Nontargeted phishing may use a nonspecific greeting for a message (e.g., To Whom it May Concern). When FedEx is telling you that you have a package, FedEx frequently structures the message so it greets you, includes particulars of your message, and other details so you can accurately understand the situation and what they need of you. Phishers doing a bulk mailing have none of these message elements, so the messages may be generic and nonspecific in an unusual way.

–Inconsistent e-mail addresses. While it is technically possible to create phony e-mails from legitimate domains (known as “spoofing” e-mail addresses), recent security improvements have made such spoofing significantly more difficult, especially for large companies with hardened information technology (IT) infrastructures. So, attackers simply send e-mails from the e-mail domains they do have, knowing this approach only reduces their attack success a little bit. For example, when you get an e-mail claiming to be from FedEx, but it does not originate from an “@fedex.com” e-mail address, be very suspicious.

–Other recipients. If the e-mail is sent to multiple recipients, are the other recipients people you would expect to see on the e-mail thread? Or is it a message that should be part of a thread that is only addressed to you? Attackers may use blind copy features to send a single e-mail to large numbers of recipients anonymously, but it means the e-mail to you looks more like a bulk e-mailing than a personal message. Unusual recipient lists can indicate a phishing attempt targeting your group or organization.

–Unusual subject lines. When we correspond legitimately, we tend to use subject lines that are specific to the issue, or reflect the conversation we are having. Similarly, a service notification usually reflects the service involved, or the issue. Phishing subject lines are frequently generic, or inconsistent with the other content of the message.

–Links to fraudulent logon pages. Another popular attacker technique is to tell you that you need to logon to an account to handle a problem, and then include a link to a page that looks just like the logon page for the account in question. It is relatively easy for attackers to copy the logon pages of banks, social media, or e-commerce sites, and make their counterfeit sites look just like the real things. Stop and take a hard look at the web address. Usually, the web address is completely wrong. If so, do not enter your credentials!

–Asks for personal information. Another attacker technique is to send you to a web page and then ask you for personal information like home address, telephone number, credit card number, or social security number. Some people enter the information just because they were asked for it. You should not need to enter your banking information to participate in a survey. For example, a survey that offers to give you money if you enter your banking information is probably “too good to be true” (see below).

–Threats of penalties. Attackers want you to act. They know their e-mail is going to get buried in your inbox in a matter of hours. Also, they frequently stand up and tear down their supporting infrastructure quickly —perhaps in a day or less. Therefore, they may include the threat of penalties in their e-mail message to prompt you to act quickly or immediately, while their entire scam is in place and ready to exploit you.

–Offers too good to be true. Another attacker technique is to give you an attractive offer. Attackers may say you owe money, but people are more likely to respond if they think they are owed money. Many of us have received offers to save hundreds of dollars on a cruise by booking now. There is a fine line between an offer that is a good deal versus one that is simply ridiculous. If you can not imagine a real business making the offer, it probably is not legitimate.

–Technical problems, legal trouble, or package deliveries. Common scams use threats of technical problems, legal troubles, or promises of package deliveries to try to get victims to click on a link or call scam phone numbers. Microsoft or Apple are not going to e-mail you to tell you your computer needs to be updated or that it has malware on it. Similarly, the FBI or IRS are not going to send you an e-mail saying you broke the law. While FedEx might e-mail you about a package delivery, you need to ask yourself if you were expecting a package in the first place, and then look up the tracking number on fedex.com to see if it is legitimate.

–Current events. Finally, some of the more sophisticated scams capitalize on current events. For example, after a natural disaster, there is an increase in scams pretending to be from the Red Cross or purporting to be crisis relief. At tax time, there is a significant increase in scams purporting to be from the IRS or alleging to be about your tax return. When U.S. Medicare announced new ID cards in 2017, identity theft scams sent e-mails designed to exploit the transition, and spoofing the Medicare website to get seniors to give up personal information.

–Be cautious. Understand that counterfeiting technology enables attackers to spoof even legitimate e-mail addresses. So, you must recognize the message is malicious based on other factors, like the context, the message, or suspicious links or attachments.

–Know when secure messages are coming. Customer service personnel are generally trained to tell you when to expect a secure e-mail using a secure web services. The challenge with these web services is that their messages include links you must click to get to the messages, which makes the messages look somewhat like phishing. Look at the messages carefully to make sure that everything is in order before you click the link. Secure messaging is usually used only for non-routine, confidential messages, rather than general business notifications.

–Understand what S/MIME and PGP e-mail looks like. Understand if your e-mail client can support secure e-mail, and what S/MIME or PGP messages look like in your e-mail client when you receive them. Unfortunately, not all e-mail clients can send or receive S/MIME or PGP messages, or require special software be installed beforehand. This limitation has hindered the adoption of these technologies.

–Be careful of attachments and links. Even with secure messages, watch out for attachments and links. Attachments should match the context of the message and should almost never include executable files. Examine links carefully to make sure they are sending you somewhere that makes sense and looks like the right place once you get there. If the link is to a secure message service like “zixmail” make sure the link matches the secure messaging provider’s website or web service. If in doubt, open up a browser window and visit the secure e-mail provider’s website to make sure.

–Check with your phone company. Some phone companies have services to automatically screen for unwanted, unsolicited, and potentially malicious scam calls. Inquire if this service is available for you, and activate it if possible.

–Use the National Do Not Call Registry. Register your home and mobile phone numbers with the National Do Not Call Registry, available at www.donotcall.gov. You can also report unwanted calls at this website.

–Buy a call blocker. Call blockers are devices that connect to your phone line and can filter which calls should be allowed through and which should be rejected. Some call blockers are manually configured, while others can automatically configure themselves, much like antivirus software on your computer. Configured call blockers can block robocalls, political calls, scam calls, and other unwanted calls.

–Screen your calls. If you have doubts about an incoming call, let it roll over to voicemail. If the call is legitimate, the caller will leave a message. If it is a telemarketer, robocall, or a scam of some sort, most likely the “caller” will not leave a message.

–Be careful what you say. Scammers may be trying to get you to say certain things so they can record and reuse your voice in a different context. If they ask, “can you hear me okay,” or “are you the homeowner,” simply respond with “why are you calling?” or “okay.” Try not to say “yes,” or “no,” as recordings of you saying these words can be useful for fraud. Once you start questioning them, scammers will frequently hang up.

–Watch for scam charges. Watch your phone bills, credit card, and banking statements, especially after you have conducted business over the phone that seemed suspicious after-the-fact. If unauthorized charges are present, dispute them—the sooner the better.