Unless you are visiting unsavoury sites or downloading illegal content, you are most likely to get hacked or receive a virus through your email account. This might be through an infected attachment or by clicking on a link (see Phishing below), but unless you understand the basic problem - you remain vunerable to attack.
☑ Email Security Summary - Top Tips
Further explanation is provided on this page, but you must follow these rules to stay safe and secure when using email:
1. Choose a SECURE (hard to guess) password.
2.IF IT SEEMS TOO GOOD TO BE TRUE - IT IS!
3. ONLY use your university email address for university business.
4. NEVER click on links in emails you weren't expecting or where you don't know the sender.
5. NEVER open attachments in emails you weren't expecting or where you don't know the sender.
6.Check your email account for anything suspicious - sent emails, sending & receiving rules and replies to emails you never sent.
8. If you think someone else has accessed one of your personal email accounts - change the password immediately and contact the service provider.
9. Always remember: IF IT SEEMS TOO GOOD TO BE TRUE - IT IS!
Email Security - Essentials
IT systems have become more secure by design over the years and are protected by both the university security mechanisms but also by partner organisations. Technical security will continue to be a priority for all of our systems however the weakest security link in IT systems is now often the user.
Over the last few years these social engineering attacks have become more sophisticated and can take the form of emails, instant messages, voice calls or occasionally in person. There are many variations but often rely on the user believing they are talking to a person in IT, the Police, their bank, Microsoft, Apple, or a senior manager.
Who sent me this message?
Have you received a message from a person you have never heard of? Are they offering something or asking for something from you? It may be a genuine email, but if you are not expecting it and don't know the sender then you should be suspicious.
Be aware
It is not always easy to see exactly who has sent the email. A message that appears to come from bob.jones@cumbria.ac.uk may have been "spoofed" and has actually come from eorhuo@fhry4738.cn.
On a desktop/laptop and in a web browser, it is often possible to look at the message properties to see the real sender (View Message Details in Outlook), but this is much harder when using email on your mobile device.
If you are in any doubt about the authenticity of an email from a company, institution or authority - then contact them by phone to check that they sent the message.
Links in Emails
Be suspicious! Links in unsolicited emails (SPAM) will often be an attempt at financial or identity theft (see Phishing below), a hacking attack where clicking on the link gives a criminal access to your computer or a virus that is designed to damage or lock you out of your computer (ransomware).
Most email programs and systems will weed out these kinds of emails, but some will always get through.
DON'T CLICK LINKS in emails, unless you know what it is and you were already expecting it.
The University of Cumbria email service uses the SafeLinks system which should weed out almost all suspect links, but if you have received a suspicious email that contains one or more links then you should take the following actions:
University email account: DON'T CLICK THE LINK(S). Forward the whole email as an attachment to spam@cumbria.ac.uk and then DELETE it.
Personal email account: DON'T CLICK THE LINK(S). Mark the message as SPAM and your service provider will take care of it.
If you have clicked on a suspicious link in an email - see our Disaster Strikes page for more information.
Email Attachments
Be suspicious! Attachments in unsolicited emails (SPAM) can be very dangerous to both the computer you are using and any network it is attached to. Just like a suspect link they can load software and viruses onto your device, but because you have invited them to download onto your computer - they can do much more damage.
Most email programs and systems will weed out these kinds of emails, but some will always get through.
NEVER OPEN ATTACHMENTS in emails, unless you know what it is and you were already expecting it.
Email service providers will either remove or warn you about suspect attachments, but they learn from previous messages. This means that a brand new type of attachment or virus can occassionally get through. If you have received a suspicious email that contains one or more attachments then you should take the following actions:
University email account: DON'T OPEN ATTACHMENTS. Forward the whole email as an attachment to spam@cumbria.ac.uk and then DELETE it.
Personal email account: DON'T OPEN ATTACHMENTS. Mark the message as SPAM and your service provider will take care of it.
If you have opened a suspicious attachment in an email - see our page for more information.
Check your email account
If you have hacked or received an infected or malicious email, you may not necessarily be aware of it. Your email account can be hijacked by a bot (malicious software) that sends out mail, changes rules and/or deletes existing files, attachments and emails.
There are some clues, that you can check for, that this has happened to your account:
Have you logged into your email account and found that your inbox is unexpectedly empty?
This could be an error or temporary fault with your email provider, but you should try viewing your mail on another device or logging out and then back in again. If the problem persists, contact the IT Service Desk for university accounts or your email service provider for other accounts.
Have you stopped receiving new emails?
This could be an error or temporary fault with your email provider, but you should try viewing your mail on another device or logging out and then back in again. You can also try sending yourself a new email to see if it arrives. If the problem persists, contact the IT Service Desk for university accounts or your email service provider for other accounts.
Does your Sent email folder list emails that you have not sent?
This suggests that your account has been hacked. Change your password immediately, log out and then contact the IT Service Desk for university accounts or your email service provider for other accounts.
Is your Sent email folder completely empty, but you didn't empty it?
This could be an error or temporary fault with your email provider, but you should try viewing your mail on another device or logging out and then back in again. Send yourself an email to see if it arrives AND appears in your Sent email folder. If the your sent email appears, but your missing sent emails do not return, then you may have been hacked. Contact the IT Service Desk for university accounts or your email service provider for other accounts.
Has a friend, colleague, tutor or other contact, asked you why you've sent them a strange email (often containing offers, warnings, job offers or links to "must see" content)?
If you didn't send them the email, then you have probably been hacked. Change your password immediately, log out and then contact the IT Service Desk for university accounts or your email service provider for other accounts.
Check your email sending and receving rules.
You may never have viewed or set any email rules for your account(s), but a hacker may have created some.
This can include things like: ♦ Send a copy of all sent email to the hacker's email address. ♦ Send a copy of all recieved email to the hacker's email address. ♦ Automatically delete all emails received from IT Services.
Send and receive rules are usually located in Settingsin your email account and you should check them regularly. If you find anything strange - change your password immediately, delete the rules and then contact the IT Service Desk for university accounts or your email service provider for other accounts.
Phishing
"Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss." (http://www.phishing.org/what-is-phishing | 2018)
Be suspicious of any email or communication (including text messages, social media post, adverts) with urgent requests for personal information.
Phishers typically include upsetting or exciting (but false) statements to get people to hand over their usernames, passwords, credit card numbers, date of birth and other personal information.
Avoid clicking on links. Instead, go to the website by typing the Web address directly into your browser or by searching for it in a search engine. Calling the company to verify its legitimacy is also an option, too.
Pay attention to the website you are being directed to and hover over URLS. An email that appears to be from PayPal could direct you to a website that is instead "http://wwwpaypal.com" or "http://www.paypal.com.et583.pw/login.htm".
Don’t send personal financial information via email, and avoid filling out forms in emails that ask for your information.
You should only communicate information such as credit card numbers or account information via a secure website or telephone.
Secure Websites
Only use a secure website when submitting financial or other sensitive information online.
How can I tell if a website is secure?
Every secure website will display two things in your web browser address bar: A LOCK symbol and the web address will begin with HTTPS
Different web browsers will display the LOCK in slightly different ways (some may colour it green), but if you click on the lock you will be given more information:
It's a great offer
Do NOT fall for whatever deal or bargain you are being offered. Check out similar deals and offers from suppliers that you have heard of and if the offer is too good - then it is a scam and criminals are trying to get your bank details.
iPhone or iPad for less than half price? Apple doesn't allow those kinds of discounts or "selling-off" of overstock. SCAM
Latest xBox games for £5? Are these stolen goods? Or just a SCAM?
Qualified for a bursary that you didn't apply for? Money does not usually just drop out of the sky! Contact the university Money Advice Service for information about bursaries. SCAM
Holiday of a lifetime for £250?SCAM
If it is too good to be true - then it usually is!
Bulk Emailing
What is Bulk Emailing?
Bulk email, or mass email, is a type of email messaging sent to a large group of people all at once. Some recipients want it and have subscribed to it, whereas others do not, and consider it to be spam.
It’s important to note that bulk email is different from junk mail, which is sent without a recipient’s permission.
If you are sending one email to many recipients, then you are a bulk sender.
All emails sent to and from personal and generic-shared accounts are subject to Data Protection law, Microsoft regulations and University policy.
If you are considering sending bulk emails, you must read and comply with the guidance below
IT Considerations
A sudden increase in email volume can result in your
email account
IP address(es)
organisation domain(s)
being blocked by Microsoft and blacklisted by your recipients’ Internet Service Providers (ISP). Once blacklisted, emails sent from your account might be blocked completely or filtered into your recipients’ spam folders.
Instead, bulk email should be sent via UoC email servers or via a UoC approved third-party bulk email provider. Third party bulk email providers have a vested interest in working with customers to ensure good email sending practices. Please contact Internal Communications for further assistance.
Microsoft Limits
No more than 30 emails per minute per sender.
A maximum of 10,000 recipients per day, per sender. A distribution list counts as a single recipient and has a maximum limit of 100,000 members. From January 2025, this will be reduced to 2,000 recipients over a 24 hour period.
No more than 500 recipients in the To, Cc and Bcc fields. ICO (Information Commissioner's Office) guidance on when to use Cc and Bcc.
These limits apply to both internal and external recipients and cannot be changed.
University IT Guidelines
The ‘subject’ of each message should be relevant to the contents contained within the email.
Hyperlinks in emails should be valid and linked to trusted sources.
Where applicable, add an ‘unsubscribe’ link.
Delivery to university mailboxes (@cumbria.ac.uk) from university sources (@cumbria.ac.uk) is more certain than delivery to third-party providers (@gmail.com, @yahoo.co.uk, etc).
Ask recipients to add your email address to their ‘safe senders’ list.
Students - any student considering sending bulk emails MUST consult their tutor first.
Email is an effective way of communicating information, but when used to excess can have a significant impact on workload and work-related stress. Before sending an email to a group of people think about what you are hoping to achieve from the message, and who really needs to see it.
If you need to send an email to a large group of staff or current students, please contact Internal Communications for advice and assistance. We use a third-party bulk email provider to deliver emails to staff, with the capacity to filter and segment the staff list according to department and location.
All students receive a weekly global email, but we can also send campus-based emails to students if there is urgent information affecting their ability to study.
Sending bulk emails outside of the corporate channels adds to inbox traffic and damages the effectiveness of those channels so please do get in touch and we will help you to deliver your message in the most effective way.
Data Protection Law
Under Data Protection law, organisations must identify a ‘lawful basis’ or reason listed in the Data Protection law for sending any bulk emails to individuals, have appropriate technical and organisational measures in place to ensure personal information is kept safe and not inappropriately disclosed to others.
The 6 lawful bases for processing personal data are:
You have consent from the data subject
It is necessary for the performance of a contract with the data subject
There is a Legal obligation to process the personal data
It is necessary to protect the vital interests of the data subject or someone else
It is necessary for a Public Task or performance of a task in the public interest or an official functions including Teaching and Research functions
It is necessary for the legitimate interests of the data controller or a third party