Email and Security
Avoid using email to exchange or store sensitive information
- Messages originating from senders or destined for recipients outside of the University’s email system, travel across networks and are stored on email systems managed by other organizations.
- While the University is committed to following IT security best practices for managing email, we cannot be certain that the same holds true for email and network providers outside of the University. So, you should assume that any email message sent to or received from an off-campus address is at risk.
- If you need to send or receive sensitive information via email, use Princeton's Secure File Send service.
Beware of the phishing threat
- Phishing is a scam that tricks you into providing passwords, social security numbers, bank account and credit card numbers, or other personal information while pretending to be from a legitimate institution.
- Reputable organizations do not ask that you provide personal information in an email reply.
- If you receive a suspect message appearing to be from Princeton, contact the OIT Help Desk at (609) 258-HELP.
How to secure confidential email
If everyone on campus connected to the Princeton email servers in an encrypted manner, email exchanged among Princeton University accounts would have a low risk of exposure.
However, when email involves off-campus senders or recipients, the best alternative to ensure confidentiality is to use an "end-to-end encryption" product, such as PGP ("Pretty Good Privacy"). Such products allow the sender of an e-mail message to selectively encrypt its content before sending, and allow each recipient to decrypt that same content upon receipt.
PGP and similar end-to-end encryption products use a "public key" encryption system where each user is given two keys, interrelated in such a way that whatever is encrypted using one key can be decrypted only with the other, and vice versa.
As implemented, these products define one of each person's generated keys as his/her "private" key and the other as his/her "public" key. Each individual must always guard his or her "private" key and must not share with anyone. However, his or her "public" key can be freely made available to anyone who wishes to send encrypted messages to the individual and can even be placed in a directory.
The above technology not only provides individuals with the ability to encypt messages, but also to verify the identity of the email sender through the use of digital signatures.
It is important to note that message encryption and digital signatures can only be used if both the sender and recipient have each:
- installed compatible end-to-end encryption products on his or her computer,
- had his or her personal pair of keys created - a public key used to encrypt messages and a private key to decrypt them,
- sent his or her public key to the other party (or had it stored it in a common directory),
- saved the public encryption key received from the other party (unless it is stored in a common directory).
Email is a convenient mode of communication and is integral to the business of the University. However, email also makes it easy for people to share misleading or fraudulent information, to perpetuate Internet "urban legends," and to "spam" (send unsolicited mass-mailings for marketing or other exploitive purposes).
- Never reply to the email. Ignore email addresses or World Wide Web URLs provided for you to use "if you do not want to receive such mail in the future." These frequently just verify the accuracy of your email address (and that you read junk email!), and result in even more spam coming your way.
- If you just want to get on with things, just delete the piece of mail.
- If you want to file a complaint, look at the full headers of the message to find out where the mail originated. (Often the abbreviated headers show incorrect information.) You might need to verify the domain from which the mail originated by checking the "IP Address" shown for the point of origin. The OIT Help Desk can assist you to display and interpret the full headers which should help identify or verify the domain from which the mail originated. (Some groups offer help in complaining about spam. Use "Helpful Links" below for more information.) Most registered Internet domains provide e-mail addresses for domain authorities; complaints should be sent to such authorities. The text of the objectionable message, and the full headers of the message, also should be included with the complaint.
- Don't be fooled. Spammers have many tricks. Here are two:
- Using one person's Princeton NetID in the "To:" line as the intended recipient, when the mail is really going to many Princeton addresses. (Some people think they have received another's email, and others think the person whose name appears is the one who sent the spam. Neither is true.)
- Saying you are receiving the mail because you have visited a certain kind of website or because you have expressed interest in this kind of material. (It's a marketing ploy. You were probably selected randomly.)
- Use filters if your mail program provides them. You can filter out some of the more obviously tagged mailings (e.g., anything with subject line saying "Adult Content" or "Advertisement"). The OIT Help Desk can assist you in setting up filters.
Chain letters are a particular type of spam where the recipient is encouraged to forward the email to a number of other individuals by being told that he/she would receive something good (e.g., good luck, health, money) if he/she complied or something bad (e.g., illness, injury, death) if he/she didn't. The primary goal of such chain letters is to flood the system with thousands of pieces of email. If the number is ten, the first individual would send ten email messages, the recipients would send one hundred (ten each), their recipients would send one thousand, etc. To protect our network and systems, please do not forward such email messages.
Chain letters are also used to promote pyramid schemes where the recipient is told to send an amount of money to those above him/her on the pyramid and (in theory) would receive money from those below him/her on the pyramid. Electronic pyramid schemes are no different than their paper-based predecessors that occasionally passed through the postal service; their goal is to separate you from your money and they are illegal.