Skip to content

Emails

Updated June 14, 2025

A Legacy Tool with Modern Risks

Email is one of the oldest digital communication tools still in use—dating back to the early 1970s. Despite its age, it remains central to both personal and professional communication. However, from a cybersecurity perspective, email was never designed with modern threats in mind.

There’s no built-in verification or certification system for senders, meaning anyone can send a message claiming to be someone else.

While technologies like SPF(1), DKIM(2), and DMARC(3) exist to reduce fraud, they’re not universally enforced. As a result, the email reputation system is inconsistent, making it easy for attackers to spoof addresses, deliver phishing messages, or spread malware. It has even been reported that these technologies have already been circumvented by spammers. Nonetheless, it is better with than without.

In short, email’s outdated trust model makes it a prime target in cyberattacks.

  1. SPF is an email authentication method that lets domain owners specify which mail servers are allowed to send emails on their behalf.

    See Glossary > SPF — Sender Policy Framework

  2. DKIM adds a digital signature to each email message, which can be verified by the receiving mail server.

    See Glossary > DKIM — DomainKeys Identified Mail

  3. DMARC builds on SPF and DKIM by telling receiving mail servers what to do if an email fails authentication.

    See Glossary > DMARC — Domain-based Message Authentication, Reporting & Conformance

Slack

Whenever possible, use Slack. This platform is a significant improvement over emails and messaging as a whole.

How to Spot Suspicious Emails (and Messages)

When assessing whether an email is legitimate, it’s important to look beyond the surface. Here are some key things to check:

  1. Sender’s Name vs. Email Address: Just because the name says “HR Department” doesn’t mean it’s really from them. Always check the actual email address—if the name and email don’t match or look unusual, that’s a red flag.
  2. Link Mismatch: Hover over links (without clicking). Does the real destination match what the text says? If the displayed link says “www.company.com” but the actual URL points somewhere else, it may be a phishing attempt.
  3. Spelling and Grammar: Poor language, odd phrasing, or inconsistent formatting can indicate the message was not sent by a professional source.
  4. Check the Domain: Look at what comes after the “@” in the sender’s email (e.g., @company.com). Open that domain in your browser—does it lead to a real website, and is it related to the claimed sender?
  5. Look Them Up: If unsure about the sender, try searching for their name or email on LinkedIn or other professional sites to verify their identity.
  6. Still Unsure? Contact the IT Manager: If you’re ever in doubt, don’t guess—reach out to the IT Manager for help.

Tip

These same principles apply to other forms of communication like text messages, social media DMs, or even phone calls. Always pause and verify before responding or clicking.

Examples

  1. Spoofed Manager Email

    From: Jane Smith <[email protected]>

    Name looks familiar, but the domain is suspicious and not your company’s.

  2. Fake Link in a Phishing Email

    Text says: https://securebank.com
Real link: http://phishingsite.io/login

    The visible text and actual URL don’t match—always hover to check!

  3. Bad Grammar Example

    Subject: “Your email is very danger! Please click now for fix.”

    Multiple grammar issues and urgency are typical phishing tactics.

  4. Unverifiable Sender

    Claims to be from IT support but no matching employee exists on LinkedIn or your internal directory.

  5. Example of a fake versus a real email from Microsoft UK

    Image title
    An example of a fake and a real email sent by Microsoft. There is at least four issues that makes the left one doubt it's legit: the from email address contains a spoofed domain using rn in place of the letter m, there is a space before a comma, the word calendar is spelled calandar and the link at the bottom has two i in live.

Suggestion… turn off remote loading of images

It’s a good idea to turn off automatic loading of external images in your email settings. Many email tracking tools—and spammers—use tiny, invisible images (like a 1x1 pixel) embedded in emails to detect when a message is opened. When your email client loads these images, it sends a signal back to the sender, confirming that your email address is active and that someone is reading the message.

Spammers use for example a 1x1 pixel image or some other invisible object to get a notification if you opened the mail, therefore they know with a guarantee there is a person at that address, which should increase the number of spam emails.

... in Gmail

  • Gmail > Settings > General tab > Images > Ask before displaying external images.
    • This will also apply in the Gmail mobile app for the same account.

Go to Gmail Settings page.

... in Mail on macOS and iOS

This setting is no longer required. Starting with recent versions of macOS, Apple Mail automatically protects users from tracking images by routing external content through Apple’s own proxy servers. This means that when a message tries to load an image (such as a hidden tracking pixel), the request doesn’t reveal your IP address, location, or whether you actually opened the email.

Thanks to this Mail Privacy Protection feature, spammers and trackers can no longer reliably confirm if or when you’ve opened their message—making it much harder to target or profile you. As a result, there’s no longer a need to manually disable remote image loading in Apple Mail for privacy purposes.

More information: Apple Support > Use Mail Privacy Protection on Mac