Email Safety and Security (Part 1)

Jeff Jones, Research Fellow

Well, it's that time again. Chances are by the time you read this, another a la mode Annual Convention will have begun. Again this year, a thousand or so attendees will have made the trek to Las Vegas for a few days of fun, socializing and perhaps a little education as well. As in years past, I've had the distinct honor of serving as a guest instructor at the invitation of a la mode . The goal is to expand the selection of subject matter outside the a la mode software and into other areas that have practical application for appraisers both in the field and in the office.

Again, I was given the opportunity to choose which topics I felt would be of most interest and, at the same time, apply to the average appraisal shop. As an IT provider that specializes in the real estate appraisal industry, much of my work centers around building and maintaining reliable, scalable and secure computer networks...both simple and complex...large and small. The fact is if your computers don't work, you don't work. It's that simple. This as well as past professional experiences led me to one of my topics...Computer and Network Security.

This paper is the first of several covering varying sub–topics from that Las Vegas class. This article is Part 1 in a series that addresses e–mail safety and security. Subjects to follow will include firewalls, virus protection, Internet security and others.

It's important for me to make the point that some of these suggestions might be viewed by others in my profession as "blanketed" or even simplistic. These are my solutions and my opinions developed over years of serving this industry. The fact is some IT professionals choose to take the "protect the user from themselves" route while some including myself believe in a more reasonable (and often less costly) approach which places an element of responsibility on the user. The "Teach a man to fish..." approach if you will. Bottom line...if what I talk about here contradicts your current IT provider's practices, I yield to their expertise and knowledge of your particular network.

Email Attachments

As much as I like to think that most computer users know how to approach checking their e–mail in a responsible manner, many times I find this not to be true. Your Inbox is the constant target of unrelenting Spammers, Pfishers and other cyberscum. Virus attachments, Trojans and other malicious code come in under the title "Read Me" or "This is cool!!" Many times the message is even from someone you know and receive mail from on a regular basis. I've read many articles on mail security and most seem to be written with the assumption the reader actually knows a virus from a Trojan or what defines spam. The fact is it's much simpler than that. It is VERY rare that you would compromise your computer by simply reading or viewing an e–mail message (although there are exceptions which we will talk about in future articles). It's the attachment that poses the most risk to the reader. But the good news is that by applying a very simple set of rules, you can guard against this common threat.

Simply ask yourself these two questions whenever you receive any e–mail that contains an attachment...

• Do I know who it is from? If you cannot absolutely answer "Yes"...immediately delete the e–mail

If the answer the first question is "Yes" than ask...

• Do I know what the attachment is or am I expecting it? If you cannot answer "Yes", again, immediately delete the message. At that point, it's not worth the risk.

As I said, many malicious attachments come from people you know and the irony is they don't even know they sent it and that their machine is likely infected as well. In addition, many legitimate e–mail attachments are nothing more than jokes, funny videos, audio, etc. They have no place in the workplace. At the very least they adversely effect productivity. At the most, that "Funny Joke" may be the virus that wipes out your database or takes down your network.

Either way, it's not worth it. My suggestion: If you are on the e–mail lists of people who send you these jokes, etc. on a regular basis; politely ask them to remove you. Sooner or later you will slip up and double–click the wrong attachment. At that point, the story is always the same, "I thought it was something else" and "Can you fix it?"

So how do you handle a "legitimate" attachment; one you have run the two questions against? Even then, never double–click and just open it. Right–click the attachment and save it to your Desktop or maybe a folder you have created just for this purpose. Once you have the attachment saved to your harddrive you can then browse to it, right–click and scan it with your Anti–Virus software. You do have Anti–Virus installed and up–todate on all of your machines, right??

Spam

The idea is to protect your business e–mail address from spam. It's the hardest one to change should you be forced to. Everyone knows you by this address and it generates income for you so protect it at all costs. Here's what I suggest:

Too many people use one email address for everything but to adequately protect yourself, you need at least three. One for business (@yourdomain.com... your XSite e–mail is perfect for this). One for personal (maybe use your internet providers domain, @att.net, @comcast.net, etc.) One for junk (a free email address is good here... @gmail.com. @yahoo.com, etc.). ONLY give out your business address to colleagues and clients, no one else. Use your personal address for online shopping, friends, family, etc. Use your junk address for those websites that ask for your email address before proceeding such as downloads, online surveys, etc. By using this system, you will be amazed at how "clean" your business e–mail address will remain and it's the only one that really matters.

If you find the other two getting too much spam activity, simply change them...no big deal. For me personally, I never even check my "junk" address. That's one less thing to have to worry about.

That's all for now. Next month I'll talk about Pfishing, "loaded" html emails and various other e–mail security related topics. I know you can't wait.

As always, your thoughts and feedback are always welcomed and encouraged.