The Only Safe Email is Text Email
I’ve been using text-only email for a long time. It just works. I also recommend it to my colleagues as a safe way to ensure messages don’t end up with winmail.dat issues, wierd font rendering, and embedded images during delivery to clients.
It’s troubling to think that at any moment you might open an email that looks like it comes from your employer, a relative or your bank, only to fall for a phishing scam. Any one of the endless stream of innocent-looking emails you receive throughout the day could be trying to con you into handing over your login credentials and give criminals control of your confidential data or your identity.
Most people tend to think that it’s users’ fault when they fall for phishing scams: Someone just clicked on the wrong thing. To fix it, then, users should just stop clicking on the wrong thing. But as security experts who study malware techniques, we believe that thinking chases the wrong problem.
The real issue is that today’s web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It’s not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way.
Simply put, safe email is plain-text email – showing only the plain words of the message exactly as they arrived, without embedded links or images. Webmail is convenient for advertisers (and lets you write good-looking emails with images and nice fonts), but carries with it unnecessary – and serious – danger, because a webpage (or an email) can easily show one thing but do another.