Email Security and Phishing Defence

Requirements

1. Email clients must be configured to display full sender addresses, not display names alone. Display name spoofing — sending an email with the display name "Your Bank" or "CEO Firstname Lastname" from an unrelated address — is trivial to execute and frequently effective. The actual sending address is the only reliable signal of origin.
2. All links in email must be verified before clicking. Hover over any link to preview the destination URL and confirm it matches the expected domain of the sender. Shortened URLs, lookalike domains (paypa1.com, arnazon.com), and redirects that pass through a legitimate service before reaching a malicious destination must all be treated as red flags.
3. Email attachments from unexpected senders, or from expected senders but unexpected in context, must not be opened without verification. Office documents with macros, compressed archives, and executables are the primary delivery formats for malware. Confirm the sender's intent via a separate channel before opening anything that was not anticipated.
4. Any email requesting urgent action — credential entry, payment, password change, data transfer — must be treated as suspicious by default, regardless of apparent sender. Legitimate services and internal contacts do not require urgent action that bypasses normal verification. Urgency in an email is a manipulation technique, not a reason to accelerate.
5. Credentials must never be entered via a link in an email. Navigate to the service directly in the browser. If an email claims your password needs resetting, open a new browser tab and navigate to the service independently — do not use the reset link in the email unless you initiated the reset yourself.
6. Sensitive information — passwords, financial account details, identification documents, or credentials of any kind — must not be transmitted via email. Where transfer of such information is operationally necessary, use an end-to-end encrypted channel and notify the recipient through a separate communication.
7. Personal email accounts must not be used for correspondence involving sensitive operational, financial, or member-related matters. The security of the communication is only as strong as the weakest account in the exchange.

Why Email Is the Primary Attack Surface

Email is the most widely used business communication channel and the one with the weakest built-in verification. Anyone can send an email claiming to be anyone. The protocol has no reliable sender authentication at the display level. Spam filters and domain authentication (SPF, DKIM, DMARC) help but do not eliminate the problem — attackers who have compromised a legitimate account, registered a convincing lookalike domain, or exploited a poorly configured mail server can bypass most automated filters.

The result is that email requires active scrutiny from the recipient in a way that most other systems do not. A door lock either works or it does not. Email security is, in significant part, a human process — and human processes fail when people are busy, tired, or operating under artificially created time pressure.

Display Name Spoofing

Email clients display a sender name alongside the sending address, and most people read the name rather than the address. Display names are set by the sender and have no verification. An email can display any name — "Apple Support", "Your Accountant", "Managing Director [Name]" — while arriving from a completely unrelated address.

The countermeasure is to configure your email client to display the full sending address at all times, not just the display name. On mobile clients, this typically requires tapping the sender name to expand it. Making this a reflex — check the address, not the name, before acting on any email — eliminates the display name spoofing vector entirely.

Links and Attachments

Links and attachments are the two primary delivery mechanisms for phishing and malware respectively. Links direct you to sites designed to capture credentials or install software. Attachments deliver malware directly to your device, often through document-embedded macros or exploits in file format parsers.

The hover-to-preview approach for links works for desktop clients but not mobile. On mobile, long-pressing a link typically previews the destination URL before following it. The key check is whether the destination domain is the one you expect — not whether the path after the domain looks plausible. A convincing path on a malicious domain is still a malicious domain.

For attachments, the relevant question is not whether the sender is known — it is whether this specific attachment from this sender at this time was expected. Attackers frequently compromise email accounts and send malicious attachments from them, using the account owner's legitimate identity and relationships to bypass suspicion.

Urgency as a Technique

Most phishing and fraud emails include an artificial urgency element — "your account will be suspended", "action required within 24 hours", "this payment is overdue". The urgency is designed to suppress the deliberation that would identify the fraud. A recipient who pauses to verify is a failed target. A recipient who acts immediately under pressure is a successful one.

The correct response to urgency in an email is not to act faster. It is to slow down and verify through an independent channel. If the urgency is genuine, a telephone call to confirm will take two minutes. If the urgency is manufactured, the telephone call reveals the fraud. The cost of verification is the same either way; the cost of not verifying in the case of fraud is not.