Miserably bad advice about email

If I had a nickel for every time I've run across the advice about being wary of email message from someone I don't know, I'd be richer than Bill Gates.

And yet, the advice is wrong. It's not even close. Think: buy high, sell low.  

A recent instance really got me riled.

After the Epsilon data breach, many companies emailed their customers with this bogus advice. One such company was Best Buy, the retailer that owns the Geek Squad. The Best Buy message to their customers included this

As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

This implies that there is such as thing as a known sender. There is not.

The real danger comes from email messages that appear to be from people/companies you normally correspond with, but are, in fact, from bad guys.  

The next time you pick up your postal mail, look at the return address. Is it legit? Probably, but there is no guarantee. Same with email.

Most of the time the From address of an email message is legit, but, just as with postal mail, nothing prevents the sender from lying.

Forging the From address in an email message is no harder than doing so with postal mail.  

At least the Post Office offers a postmark. Mail with a return address in California, that was postmarked in Michigan, was actually sent from Michigan. There is no trusted third party that stamps or verifies email.

Techies may suggest looking at the hidden email headers.* They can be useful, but email headers too can be forged and they are hard to decipher.

Unknown senders are amateurs, the pros are more dangerous.

Conde Nast was swindled by an email message that appeared to be from their printer. 

The RSA employee that opened the malicious Excel spreadsheet certainly thought it came from a trusted source. Most RSA employees ignored the message because it was routed to their spam bucket.

The victim would not have opened a spam message that came from badguy@outtoscamyou.com. I don't know what the From address was, but I'm sure it appeared to be a known trusted person.  

As I wrote about recently Epsilon was warned by Return Path about spear phishing emails that appear to come from friends or co-workers.

Then too, there is the common scam from a friend who is traveling, lost their money and needs you to wire them enough cash to get home. Your friend didn't send the message.

Email can be bogus even if the From address was not forged. This happened to me recently.

I got a message from someone I know suggesting that I purchase something. It seemed out of character, and an examination of the email headers showed that the message originated in Russia. This, from someone who has never been to Russia. Someone whose Yahoo account had been hacked into.

The next time you are told never to open email from strangers, realize that the person offering the advice, although well meaning, doesn't know what they're talking about.

You can neither trust nor assume anything about an email message based on the From address.

Never ever.

*To see the normally hidden email headers in Gmail, click on the downward pointing triangle next to the Reply button and select Show Original (thanks for the reader comment). In my version of Yahoo email (there are multiple)  look at the bottom of the email message at the line with buttons on the left for Delete, Reply, Forward and Spam. On the far right of this line is a text link to show the full headers. In Thunderbird v2 and v3 click on View -> Message Source.

Join the discussion
Be the first to comment on this article. Our Commenting Policies