For several years now, we've been telling everyone that email is a postcard – everything in the message is exposed to anyone who wants to read the message as it flashes by. A couple of companies have figured out how to solve this problem and their solutions are finally hitting critical mass. If you have a secure mail solution, you can finally put your message in an 'envelope' and keep outsiders from reading it.
The problem is that we've also told you as a reader to delete any message that appears suspicious or that asks you to click through some "convenient" link. The 'envelope' around a secured message looks a lot like a phish. (See "How it works" below.)
Here are some tips on telling the difference between a secure mail message and a spam or phish.
- In a legitimate message, you will still be able to read the subject line and the sender. If you are not expecting a message from that sender, be suspicious.
- Once you start working with a business partner who uses a secure mail system, all secure messages from that company should look basically the same. If the logo, the layout or the text look different, be suspicious.
- A legitimate message will take you to the sender's website to verify your login. A phish will try to take you someplace else to steal your password. If the message alleges to come from someone at redcross.org but the link is trying to take you to yahoo.com, be suspicious.
Reminder: The only part of the domain that matters is the part immediately before the top-level domain (.com, .org, etc). Ignore everything to the left or right of the dots. In the link voltage-pp-0000.westfieldgrp.com/mail/32/, only 'westfieldgrp' matters for verifying the legitimacy of the message. The rest is set up by the company's IT department to point to specific places within the company's domain.
- Legitimate messages are written by professionals. Scam messages want to panic you into acting without thinking and often use phrases like "URGENT" and "log in now or your account will be closed". If the language seems inflammatory, be suspicious.
If you are suspicious, call the sender and confirm the message. Please do not just delete these messages, though. There's a fair chance they are legitimate and you wouldn't want to lose good messages.
How it works
There are several ways to put your message in the secure 'envelope'.
One technique doesn't actually put the content in email at all. What you really send is a placeholder saying "You have a message waiting. Please sign in at my website to read it." The message content stays on the sender's webserver and never actually travels by email. Some large financial and medical institutions use this kind of secure messaging.
The other way is to pull the content off the message, encrypt it and reattach it to the message. The content travels by email and but can't be read except by someone who knows the password. (If you don't already have a password set up, you will be asked to verify your identity and create one.)
A third technique is Transport Layer Security (TLS), a method that protects the message from one email server to another. This requires some setup between the two companies but is otherwise invisible to both the sender and the reader. These messages can't be easily mistaken for a phish so we won't discuss them in this tip.
An example of that second kind of 'envelope' – the encrypted attachment solution - is attached below.