Log in links for this page

How to use email securely

This guide page provides a checklist of cyber security best practices for email use, including instructions on how to identify and respond to social engineering and phishing attempts.

Table of Contents

General Email security reminders

  • Do not use email for sensitive information
  • Use caution when opening attachments - see the following section for more details
  • Do not forward your work email to a personal email account
  • Limit the amount of information in "Out of Office" messages and only send to internal users or users in your personal address book if possible
  • Be sure to lock your computer screen when you walk away from your desktop or laptop computer
  • Set your mobile device to lock and require a PIN
  • Make sure your personal desktop and laptop computers at home are up to date with the latest security patches and anti-virus software

How to identify and respond to social engineering and phishing attempts

Social engineering is the art of obtaining confidential information from individuals through manipulative and deceptive means by mail, email (also known as phishing), or over the phone.

How can you identify a social engineering attempt via email?

There are several elements commonly found in most email-based social engineering/phishing attacks.  Here are some red flags to watch out for:

Appearance

  • Grammatical errors or misspellings
  • Low quality or disorganized graphics or logos
  • A generic greeting is used instead of your name

Sender’s Identity

  • Sender’s name does not match email address
  • Sender’s email domain does not match the company the party claims to represent

Message / Tone

  • Request includes opening an attachment, clicking a link, or providing sensitive information
  • Urgency or warning of consequences if you do not respond

As hackers have become more sophisticated, their phishing emails have started to look more professional.  Vigilance is crucial.  If you have any doubts about an email, check with the help desk before responding or clicking on a link.

How can you identify a social engineering attempt via phone?

A caller carrying out a telephonic social engineering attempt may exhibit several of the following characteristics:

Caller’s Identity

  • Refusal to provide contact information or complete employee information
  • Use of name-dropping or referencing internal technologies or initiatives

Request / Tone

  • Requesting proprietary, non-public or personal information
  • Intimidation or pressure to provide information quickly

 

How should you respond if you encounter suspicious activity?

 In the case of a suspicious email:

  • Do not respond to emails or text messages asking for confidential or personal information.
  • Do not open attachments or click on links within suspicious emails from an unknown individual.
  • Attackers can target you at work through your personal accounts (like Gmail); follow the same care for all your accounts.
  • Limit details disclosed in “out of office” messages.

In the case of a suspicious phone call:

  • Verify the caller’s identity. Ask for their name, agency, and employee number and then confirm the information on Mass.gov.
  • Take their name and call them back on the contact details listed on Mass.gov (not the details provided by the caller).
  • Never provide personal information, details of other employees, or disclose other non-public information about the Commonwealth unless authorized and you are certain about the caller’s identity.
  • Never divulge sensitive or other internal information to unknown individuals on the phone.
  • Do not feel pressured into sharing information by a caller using intimidation techniques.

If you suspect any malicious activity, report it immediately to your manager and your Secretariat IT Service Desk. Contact information for Secretariat IT Service Desks can be found here.

By following these simple steps, you will avoid unwittingly providing a hacker access to Commonwealth’s network or compromising sensitive organizational, client, or personal data.

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback