EMail Security - Links

[Javier Odom]

I monitor an unhealthy amount of email accounts and I have seen an uptick in malicious emails with “links” in them. Do not click links from unknown recipients and do not click links unnecessarily, even if they are from Clients. So much so, I would recommend if you are the written policy type, that you include some type of policy which forbids your employees from clicking links within emails. If you are able, have your email service append gibberish at the beginning of email link URLs so instead of a link being https://jewelersbenchpin.com/portal.php it goes to gibberishhttps://jewelersbenchpin.com/portal.php which is not a link any browser should accept, and *should* cause your employee, or you, to second guess going to this destination. Now, if you feel so compelled, you can still trim the “gibberish” from the URL and paste it into your browser for the win, but that is a rather intentional act which requires you to intentionally visit the link.

I monitor an unhealthy amount of email accounts and lately I have noticed a concerning trend – an increase in malicious emails containing suspicious “links” targeting jewelry industry keywords. In the interest of safeguarding your online security, I want to share some tips to help you stay protected.

First and foremost, please remember never to click on links from unknown senders. Even if an email seems to come from someone you know, but it looks unusual or unexpected, exercise caution.

Consider implementing a company policy that discourages employees from clicking on any links within emails, regardless of the source. This extra layer of caution can go a long way in keeping your digital environment secure.

If your email service or email client allows it, consider having links automatically disable all links within emails.

From an email service, this is usually done by adding gibberish in front of the link URL. For instance, instead of a link appearing as “https://jewelersbenchpin.com/portal.php” it may be transformed into “gibberishhttps://jewelersbenchpin.com/portal.php”. This small but effective change makes the link unclickable for most browsers. It would also require intentional effort to trim the URL, paste it into a browser, and tell that browser to go.

From an email client, depending on your email client, there may be a setting which disables the ability to click links. For example, Mozilla Thunderbird has an option called “network.protocol-handler.external-default” which can be found by going to Tools :: Settings :: in the “Find in Settings” search box type, without quotation marks, “network.protocol-handler.external-default” and press enter. By default this setting is set to “true”. Double-click the setting to set it to “false”. Restart Thunderbird, and try clicking on a link. The links will be inert. You can still see where they point, but they will not go anywhere if you click them. If you need to use a link from an email you will have to intentionally copy the link, paste it into a browser, and tell the browser to go to that address. (For example, to unsubscribe from a newsletter or such.)

There do not seem to be any options for email apps from major companies such as GMail or Apple Mail.  These apps require you be more vigilant with regard to what you are viewing, clicking, and overall how you treat email security.

With all security, digital and physical, there is a balance. That balance is between actual security and convenience. You have to decide where that balance falls for you and your organization. It may be inconvenient to have a physical alarm system, or systems, and a vault and/or safes, but these are inconveniences you have deemed worthwhile in your balance of actual security and convenience. The same is true with all aspects of security.

Do not click links from unknown senders, and maybe avoid clicking links from known senders as well.

Be safe!