Safe Email Practices
This collection of tips is designed help you check your email safely. We don't want our users to fall victim to a trick, but we also don't want you to be scared to check your email. Be prepared, and proceed with peace of mind.
If you believe someone may already have your password, jump to the post-compromise guide.
If you are unfamiliar with any of the terms in this document, see the glossary. If that doesn't help, email email@example.com and request clarification. We want this guide to help everyone, so let us know if it's not helping you.
Be aware. Any time you're about to type your password, stop for a second and make sure what you're doing makes sense. The rest of these tips deal with specifics, but if you only remember one thing, remember to keep your eyes open and your mind engaged.
Your password is your password. Do not reveal your password to anyone -- that includes tech support! Your password is a secret only you should know.
We will never ask for your password. We don't need a password to access your accounts. We may ask you to log in, but we don't need you to speak, write, email, or otherwise give us knowledge of your password. If someone asks to know your password, assume it is a trick.
Never email passwords. Email is not an appropriate way to transmit a password. If someone asks you to send an email containing your password, assume it is a trick.
Distrust links. Bookmark important pages, like your login page. If you decide to follow a link, don't assume that the person who made it is telling the truth about where it goes. Verify where it actually leads by hovering the mouse cursor over it. After you follow it, check the URL bar to make sure you are looking at the page you think you're looking at. If for any reason you are unsure about whether a link is safe, do not use it.
The most common scam in emails (lately) is to include a link, claiming that this will take you to your email login page (or something similar). The link actually goes to a site controlled by the spammer. If you enter your username and password, you have given them away, and should consider your account compromised.
Close does not count. fsu.edu is not the same as fsu.edu.example.com, or fsu.edu.tz, or f5u.edu. Look closely at URL's. If you are not positive that the site you are on is real, don't trust it with sensitive information like your password.
For example, let's say you get an email saying there's a problem with your account. Included is a link to log in and check on the problem. Is the link real or a trick?
Distrust the From: address. Just like the return address on an envelope, the From: field of an email says whatever the sender wants. Therefore, just because an email says it's from someone you trust, or a computer support technician, don't suddenly become willing to do things you would normally consider unwise, like revealing your password, or blindly trusting a link.
If something seems suspicious, it doesn't hurt to pick up the phone and call the person who (supposedly) sent the email.
Distrust attachments. Before you open an attachment, you should stop and ask yourself:
- Who sent this?
- Is this something I need?
- Was I expecting to receive this attachment?
- What type of file is this?
If you are unsure about any of those things, it's worth taking a moment to call the sender to verify what they sent you. You can also get in touch with computer support if you prefer, or if the sender cannot be reached.
Anything that runs is especially dangerous. This obviously includes programs (something.exe), but less obviously includes screensavers (something.scr). This concept extends well beyond email. In general, you shouldn't need to run any programs that aren't already installed on your computer. If you believe you do need a new program, let us know. Under no circumstances should you run a program or screensaver you received by email.
Let us help. If you have a question about a message, aren't sure if it's legitimate, or simply want to report a scam attempt, you can always forward a copy to firstname.lastname@example.org. We can help you decide what to do with the message. If it's a scam, we'd like to know it's going around so that we can warn others to be on the lookout.
If you report a message, we'd prefer to receive the full original headers. If you're using thunderbird:
- While viewing the questionable message, open the "View" menu.
- Hover the mouse cursor over "Headers".
- Click "All". (Choices should be "All" and "Normal".)
- Forward the message.
- Switch Headers back to Normal.
My account may be compromised. What do I do?
Change your password immediately.
To change your mail password: Log in to webmail. Click the "Password" link at the top of the page (with the lock icon). Enter your current password for "Old password", and enter a new, safe password for "New password". Enter it again for "Confirm new password", then click "Change Password".
To change your Windows login password: Log in to your Windows workstation. Press Ctrl+Alt+Del. Click "Change a password". For "Old password" enter your current password. For "New password" and "Confirm password" enter a new, safe password.
If you used the same password for any other accounts, anywhere, you should change those passwords as well.
We also encourage you to let us know about the event. We can help you make sure your account is safe, and keep the situation from getting worse. While it may be embarrassing to admit you lost a password, it is much worse to find out that several thousand advertisements for various pills have been sent from your account.
If we discover the problem ourselves, we will have to disable your account. It will be unavailable at least until we can determine that it has been secured, and may be deactivated indefinitely. It will go more smoothly for everyone if you contact us as soon as possible and let us help.
We understand that people make mistakes, and we don't want you to be afraid to tell us about them. I have to give credit to folks in Biology. When mistakes are made, people typically tell us immediately, and we are able to take care of the situation before any damage is done.
browser - Also known as a web browser. This is the program with which you view web pages. Examples include Firefox, Internet Explorer, Safari, Chrome, and Opera.
URL - Uniform Resource Locator. This means a web address. For example, http://www.fsu.edu is the URL of FSU's main page.
bookmark - This is a saved link, kept by your browser. In most browsers, when you are viewing a page, you can hit Ctrl+D to create a bookmark for the current page. You should see a dialogue box which will ask where you want to save the bookmark. You can save it either in a bookmark bar, which is always visible, or in a bookmark menu, which is a drop-down menu, found in the same area as File, Edit, and so on.
Windows domain - Also referred to as "the domain". You can use the same username and password on most Windows systems in the Biology Department because they are on the same domain. If someone gets your Windows domain password, that person could log in as you on any department computer. They could also get access to your network shares.
Note that this is not the same as a domain name, which is part of a URL.
attachment - This is a file attached to an email. The text of the email is referred to as the body. Reading the body of an email is safe, but opening an attachment can be dangerous.
compromise - In the context of computer security, a compromise is a bad thing. An account is considered compromised if we are no longer certain of who has access. If you realize you have entered your password somewhere it does not belong, you should consider your account compromised.