Safer Internet: Improve Email Privacy

Quotes | Summary | When Email Best? | Email Account |
Malware | Spam | Web Mail | Client App | Tracking |
References: General | Android | Gmail, Google | Government | iCloud |
iOS | macOS | ReplyAll | Spam | Tracking | Windows | Yahoo

Quotes

Summary

[1] Is Email the Best Communication Method?

  • Type of information -- and its sensitivity? Audience? Timeliness?
  • Even though email should be encrypted in transit to mail server, it may no longer be private when stored on mail server or on recipient's computer; what if it becomes public later?
  • Verify intended addressees before sending, i.e., To:, cc:; autocomplete/autofill may be incorrect; Reply vs. Reply All
  • Use bcc: for groups to protect privacy and reduce Reply All volume
  • Email is not the best way to send large / many attachments -- see Share Files Privately
  • Is the email service provided by your ISP adequate, reliable, secure, well-maintained?
  • Email provider's privacy policy and business model?
    some providers, e.g., ProtonMail; Posteo; Tutanota; FastMail; Thexyz; Kolab Now; Mailbox.org, may provide more privacy or "end-to-end encryption"; section Encryption, Anonymity
  • Ethical.net: Email services
  • Maybe communicate fragments of secrets over different channels, e.g., phone, text message, video, etc., to replace / complement email -- see section Talk and Chat Privately

[1] Protect Email Account

  • Use a 'permanent' account if possible, e.g., icloud.com, gmail.com, outlook.com
  • If you rely primarily on your ISP (charter, comcast, ashlandhome), what happens to your address if you move or change ISPs?
  • If your email account is hacked, change password immediately.
  • If that same password was used for any other accounts, be sure to update those accounts also.
  • Check Sent/Trash for any messages sent by hacker, e.g., password resets for other accounts.
  • Strengthen security answers; turn on 2-factor authentication if available, etc.

[1] Avoid Malware in Attachments and Links

  • Don't open/download unexpected attachments in messages; enable malware protection; check Sender:
  • [1] macOS: click on the little downward pointing “v” at the right of the From address to see address of sender
  • [2] macOS: Mail > View > Message > All Headers
  • Most email applications display messages as mini-web pages -- with problems (like web) of ad tracking, fraudulent links, etc.
  • Don't click on links in messages; even truer for unexpected messages about products/sites/services you don't use
  • Exceptions: after changing an email address on an account, the site often sends an email with a link to verify the address; others??
  • If an email asks you to click a link/button to address a problem or change your password, log in to the site directly using your password manager -- not the email links, unless you've just initiated a "I forgot my password" request
  • If it's an offer to update software, use the official methods described earlier to check, download and install
  • Quiz: Can You Identify Phishing Emails?
  • To avoid displaying possible mal-content, don't open or display message in first place:
  • macOS: Mail > ctrl-click msg > Delete (individual msg)
  • macOS: Mail > Mailbox > Erase Junk Mail (delete all w/o opening)
  • macOS: Mail > (drag dot on separator bar -- between message list & preview area -- to bottom of window); select & delete message(s); restore bar
  • iOS: Mail > (swipe left on title in message list) > Trash
  • When sending large attachments, enable "Mail Drop", which uses iCloud temporarily
  • macOS: Mail > Preferences > Accounts > (account) > Advanced > Send Large Attachments with Mail Drop
  • iOS: no need to set -- triggered automatically; select Use Mail Drop from popup
  • When sending attachments to a Windows user:
  • macOS: Mail > File > Attach Files > Options > Send Windows-friendly Attachments

[1] Reduce Spam

  • Don't forward chain letters or spam; check Snopes
  • Unsubscribe from reputable sources only; otherwise, you just confirmed validity of your address to a spammer
  • Limit auto-reply usage: omit dates when your house can be burgled, spam confirmations
  • It's difficult to reduce/eliminate spam once your email address has been disseminated, e.g., by replying to spammers, by making address public on a web site or forum, by malware harvesting your friend's Contacts, etc.
  • Use filters to minimize danger from phishing, and annoyance from spam;
    check Junk/Spam folder periodically for good messages, move messages to "train"
  • If using multiple devices and IMAP, centralize settings with mail provider
  • gmail.com: Spam: no setup required
  • gmail.com: Settings > Filters
  • If not centralized, spam and filter settings for individual device:
  • macOS: Mail > Preferences > Junk Mail
  • macOS: Mail > Preferences > Rules
  • The most common scams will target you through fake emails, text messages, voice calls,
    letters or even someone who unexpectedly shows up at your front door.
    Review all five scenarios for important red flags that could signal a scam.
  • 1. You're pressured to act immediately
  • Remember: In some cases, scammers can be friendly, sympathetic and seem willing to help.
    In others, they use fear tactics to persuade a potential victim, for example:
  • You're instructed to not trust your bank, or to respond to questions in untruthful ways.
  • You're pressured to send money.
  • You're threatened with law enforcement action.
  • You receive a request from a government agency or the IRS
    asking you for a payment and/or to verify your personal information.
    Scammers may threaten lawsuits or law enforcement action to trick you in to acting quickly.
  • 2. You're asked to provide authorization codes
  • Remember: Authorization codes are important ways to verify who you are in order to access your account.
  • Never share your authorization codes, regardless of the reason someone gives you,
    unless you've contacted the company through a verified method.
    Once a scammer has your codes, they can gain full access to your accounts.
  • Your company should never text, email or call you asking for an authorization code.
    If someone reaches out to you and asks for it, it is a scam.
  • 3. You've received a suspicious text or email
  • Your account should not use email or text to ask you for personal information
    such as your account number, card PIN, Social Security number or tax ID number.
  • The best way to avoid email or text fraud is to remain vigilant.
    Never click on a link in an email or text message unless you are absolutely certain
    who sent the email and where the link is taking you.
  • Fraudulent emails or texts typically imply urgency, attempting to get you to act quickly
    before you have time to carefully read and examine the message.
    They often don't address you by name and contain obvious grammar and/or spelling errors.
  • 4. You're told to buy a gift card to pay a debt or a service.
  • Never share gift card information (such as the card's unique identifier number) with someone you don't know.
  • Criminals may pressure you to send funds via gift cards by asking for the code numbers
    or PINs on the backs of the cards so they can be redeemed immediately.
  • A scammer may tell you a story that they urgently need funds to pay a debt,
    for a medical emergency or they want to travel to see you.
  • 5. You're asked to deposit a check and return the money
  • Never cash a check for someone you don’t know.
    The bad check will be held against your account when it doesn't clear.
  • If you're asked to return money for overpayment of an item you’re selling, it’s most likely a scam
    and the bad check will be held against your account when it doesn't clear.
  • You're approached by a stranger who claims to have left their wallet at home and asks you to cash a check for them.
    Or you may be asked to deposit a check that overpays for something you’re selling, then send the difference elsewhere.

[2] Webmail in Browser: use HTTPS:

  • Webmail on your ISP's website, e.g., icloud.com/#mail, gmail.com, mail.yahoo.com, webmail.aol.com
  • Some ISPs, e.g., ashlandhome.net, may support HTTPS: only for desktop (not mobile) browser
  • If ISP also doesn't support SSL/TLS in email client (next), obtain a separate, secure account for your main communication; also more portable if you move or change providers
  • Some sites communicate only via secure email "portal", e.g., medical, financial

[2] Email Client App: use TLS/SSL for login, transfer, sending

  • Use SSL (Secure Socket Layer, or newer TLS: Transport Layer Security) in an email client app, e.g., Mail on iOS / macOS; Thunderbird, Outlook, Outlook Express; network: {Figure 6. TCYOP-4: 67}
  • i.e., for your account: login, transfer, sending
  • When adding an account, certain providers may have automatic settings/templates
  • iOS: Settings > Accounts & Passwords > Add Account
  • macOS: Mail > Accounts > +
  • Otherwise, check email app or email provider's site for configuration details, e.g., mail settings tool
  • Login, transfer: enable SSL for IMAP or POP email; {Figure 16: TCYOP-4: 120; TCYOP-3: 96}
  • Do not use unencrypted POP, e.g., earthlink
  • IMAP: better for sharing messages & folders between devices; webmail; backup?
  • if using IMAP, check if supported by email provider; enable if necessary
  • iOS: Settings > Mail, Contacts, Calendars > (account) > Account > Advanced > Use SSL
  • macOS: generally, adding a new account will automatically enable SSL for receiving & sending; to check this:
  • macOS: Mail > Inbox > (ctrl-click) > Account Info > Summary > Incoming SSL: on
  • macOS (older): Mail > Preferences > Accounts > (account) > Advanced > Use SSL
  • Sending: enable SSL, i.e., SMTP server
  • Can you access email easily while traveling, esp. sending?
  • iOS: Settings > Mail, Contacts, Calendars > (account) > Account > SMTP > (server) > Use SSL
  • macOS: Mail > Inbox > (ctrl-click) > Account Info > Summary > Outgoing SSL: on
  • macOS (older): Mail > Preferences > Accounts > (server) > Account Info > Outgoing Mail Server (SMTP) >
    Edit SMTP Server List > (server) > Advanced > Use SSL

[2] Reduce Email Tracking

  • Disable image display -- to minimize tracking; extra benefit: slightly faster display
  • macOS: Mail > Preferences > Viewing > Load content in remote messages
  • macOS: Mail > (individual message) > Load Remote Content
  • iOS: Settings > Mail,Contacts,Calendar > Load Remote Images
  • Some messages provide a link to view the message in browser, which, if configured properly, might provide better security.
  • more selective solutions are being developed to block 1x1 tracking pixels (all, or selected marketers) --analogous to Browsing : Adware); e.g., PixelBlock, UglyMail; stay tuned
  • Create different email addresses or aliases for different purposes -- via different providers: iCloud, Yahoo, Gmail, Live, etc.
  • Apple allows 3 aliases that are redirected to main account, e.g., main: johsmith@icloud.com; aliases: jsmithabc@icloud.com, jsmithdef@icloud.com, jsmithghi@icloud.com
  • macOS: Mail > Preferences > Accounts > iCloud > Edit: Email Address > (icloud.com/) > Mail > Add an alias
  • Some providers allow "+" suffix, e.g., johnsmith+amazon@icloud.com, john.smith+facebook@gmail.com; those recipients appear in main Inbox
  • This allows you to track who gave out your address, and to setup email filters; addresses completely separate from your main account are desirable for password resets, even though inconvenient; it also could provide some anonymity if your address is leaked later; unfortunately, some sites may not allow "+" in username or email contact fields.
  • [Spam]: 'Gmail: Your address has more or fewer dots (.) or different capitalization'

References

Android

Gmail, Google

Government

iCloud

iOS

macOS

Outlook, Hotmail

Reply All

Spam

Tracking

Windows

Yahoo