E-Mail Misconceptions

Email misconception 1: "Nothing can happen to me if I just look at an email but don't open an attachment."

This only applies to text-only emails.

Nowadays, however, everything should be nice and colorful and images (e.g. the company logo) should also be sent.

This is technically only possible with HTML emails - and that means that you are not actually opening an email, but viewing a small website, even if it is in the email program.

So all the dangers of surfing the Internet also apply: all kinds of malware and dangerous links can be embedded in the HTML source code.

The only thing that helps against this is to set the display of the mail to "text-only mode" and only switch to the HTML view in individual cases if the sender is trustworthy.

See also: BSI-Security Errors-E-mail security.


Email misconception 2: "You also have to click on the link to delete spam emails from your mailing list."

Quite the opposite: you should delete spam emails immediately and preferably without even opening them - or report them to your provider as spam using the button/folder provided for this purpose.

Spam" covers various types of unwanted emails: from pure advertising to the distribution of malware and attempts to lure you to dubious websites through to phishing.

What they all have in common is that you are of course not deleted from the mailing list when you click on the link: on the contrary, by clicking on the link, the spammer knows that this e-mail address is valid (and therefore much more valuable for resale) and the volume of spam will increase even further.

The German Federal Office for Information Security (BSI) provides information on spam and protective measures here: BSI-Spam/Phishing/CO .

See also: BSI-Security Errors-E-mail security.


Email misconception 3: "I can rely on the sender information of an email."

Both the displayed sender name and the supposed sender address can be faked with very little effort. Spammers and phishers do the same.

You can get a first hint by moving the mouse over the displayed sender name - your mail program should then show you the technical sender address. If this does not match the name, you should be careful.

You can only find out more precisely by analyzing the mail header (which most mail programs can display, unfortunately not all), in particular the string of "Received:" lines.

Also compare the subject with the alleged sender: does it match?

Even emails from known communication partners are not necessarily secure: their computer could have been hacked - or someone else could have simply forged the sender.

The Federal Office for Information Security (BSI) provides more information on this at:  BSI-Fake sender addresses.


Email misconception 4: "I can easily recognize phishing emails!"

Phishers and spammers are getting better and better at the design and content of their emails. (Phishing: formed from the English term "fishing" and the onomatopoeic replacement of the "f" with a "ph", where the "P" stands for "password").

The aim of phishing emails is to trick you into accepting malware, access data and passwords for online banking or stores or even credit card details or money. To do this, you are lured to fake websites that look deceptively real - except for the website address (URL), which is always wrong in such cases.

The emails are also deceptively genuine and ask you to carry out a security check, for example, or inform you that your account is supposedly blocked.

If in doubt, call up your bank page/shop page directly by manually entering the link you know and check whether there really is anything to confirm there.

The German Federal Office for Information Security (BSI) provides further tips on phishing here: BSI–Phishing-E-Mails-Erkennen - and there is even an online training course (as an Android app) where you can learn how to recognize phishing emails: KIT-NoPhish-Lernspiel

See also: BSI-Security Errors-E-mail security.

Watch the videos against online fraud! (created by SECUSO, Karlsruher Institut für Technologie https://secuso.aifb.kit.edu/642.php)