Safer e-mailing requires not just spam filtering but greater care in sending, reading, and responding to messages.
Beware phishing attempts
By now you may already have received hundreds of fake messages that appear to have come from a bank, PayPal, eBay, or another site that stores and processes financial information. These messages often warn you of dire consequences unless you click on a link to “confirm” or “verify” your account. If you do, you’re taken to a Web site that mimics the real thing but whose only purpose is to collect your login information. E-mail messages that attempt to get you to reveal a password or other personal data are referred to as phishing attacks.
Some antispam software, such as Michael Tsai’s SpamSieve ( ; $30), can identify most phishing attempts. But phishers are getting more sophisticated and subtle in their approaches, so you may still encounter some messages whose authenticity is uncertain. For additional tips on figuring out whether a message is authentic, see Phind the Phishers.
Be smart about using Web mail
4. Makes you practically invulnerable.
3. Good, strong protection—but a really determined intruder can overcome it.
2. Helps deter casual meddlers, but someone who wants to get in will.
1. Makes you feel better, but won’t really keep out intruders.
4. Let’s be honest: it’s a pain in the neck.
3. Takes consistent, considerable effort.
2. Takes a little effort, but it’s not a big problem.
1. Set it and forget it.
Most e-mail providers offer a way for you to read your e-mail in a Web browser. This makes it convenient to access your messages when you’re away from your main computer. However, when you’re using a public computer (or someone else’s computer) to read your e-mail, you have no way of knowing what security measures are in place, and you run the risk that someone else may be able to access your e-mail—even after you’ve left.
When using Web mail in a public place, make sure your session is secure. Look for the lock icon in your browser window; if it’s not there, don’t type your user name or password.
You should also make sure that no one is watching when you’re entering your password; consider covering the keyboard. If the browser offers to remember your password, say no.
Also, if someone has sent you a document as an attachment and you want to make sure no one else will be able to see it, don’t even download it in the first place. Although you can (and should) erase any downloaded files, recovering deleted files is often quite easy; someone with the right software could later look at a document you thought you had erased.
When you’re finished browsing, be sure to erase the browsing history and cookies of sites you’ve visited. If you don’t know how, check your browser’s Help menu. After covering your tracks, quit the Web browser and, if possible, restart the computer.
Just as a Web site can use SSL to encrypt information you type into forms, your e-mail program can use SSL to encrypt e-mail sent between your computer and your mail server. Using SSL protects not only your e-mail messages, but also the password you use to check your e-mail, against interception during transit. Using it is crucial if you’re on an unencrypted wireless network; but even on a wired network, SSL is a smart choice.
Most ISPs and e-mail providers, including .Mac, offer SSL (though interestingly—and troublingly—.Mac does not offer SSL for Web mail). Check with your provider to make sure it’s available; if not, consider a new e-mail provider such as FastMail (www .fastmail.fm), which offers accounts ranging from free to $40 per year. Then turn on SSL in your e-mail client. In Mail, choose Mail: Preferences, click on Accounts, and select your account. To turn on SSL for incoming mail, click on Advanced and select Use SSL. To turn on SSL for outgoing mail, click on Account Information, click on Server Settings, select Use Secure Sockets Layer (SSL), and click on OK.
Encrypt sensitive messages
Even if your e-mail client uses SSL, the messages you send are encrypted only until they reach your outgoing mail server. Then they’re transmitted in plain text over the Internet (which can include hops through numerous other servers), to the recipient’s e-mail server, and finally to the recipient’s computer. That means your ISP, the recipient’s ISP, or anyone in between could conceivably access the contents of your message.
Most of the time, you needn’t worry about this; it’s analogous to the fact that someone could walk up to your mailbox, pull out a letter, open it, and read it. It can, and does, happen occasionally, but most of us still safely send and receive mail—paper and electronic—containing moderately sensitive information without difficulty.
But on the occasion when you can’t take any chances—when you must be absolutely certain that only you and the intended recipient can read the message—you must use encrypted e-mail. Doing so requires that both the sender and the recipient use the same type of encryption system.
Apple’s Mail can encrypt messages, though the procedure to set up encryption is a bit involved (see Keep your secrets with Mail for details). It’s easiest if the recipient also uses Mail, but some other e-mail programs can also decrypt messages encrypted in Mail. Another alternative: you and your recipient could both use PGP Desktop Home, which supports a wide variety of e-mail clients on both Mac and Windows platforms. The open-source alternative Mac GNU Privacy Guard is also compatible with PGP.
[ Joe Kissell is the senior editor of TidBits and the author of Take Control of Passwords in Mac OS X (Take Control Books, 2006). ]SSL Mail: To keep your e-mail at least partially safe from prying eyes, enable SSL in Mail.