This is a quick explanation you can send to folks who are a little too trusting of what ends up in their inbox.
What can a silly little link do?
- Notify a spammer that your email address is real and that you can be tricked, increasing the amount of spam and scams you receive.
- Land you on a virus-laden page, infecting your computer.
But the email is from a site I trust!
Really? How can you be sure? It's easy to fake an address or a link.
- Just because the "sender" address is "firstname.lastname@example.org" doesn't mean the email is from paypal.com. It is trivial, for example, to send an email that appears to be from email@example.com.
- Those links don't necessarily go where you think they go. A well-crafted spammer can have a link display one thing and go somewhere else.
But the link goes to a domain I trust!
Even a link to a safe domain is not always safe.
- Many sites have "redirect scripts": http://www.google.com/url?sa=D&q=http://www.example.net/ redirects to example.net.
- Change your settings on that website (CSRF). For example, clicking here will change your Google language preferences to Pig Latin.
- XSS (Cross-site scripting) is a nasty little technique wherein a well-designed link to a poorly-designed site can do all sorts of things in your name on that site.
- Look-alike domain names are common. Depending on your font, you may not be able to see the difference between paypal.com and paypaI.com.
So, what is safe, anyway?
Just don't click on links in unexpected emails, or open ANY attachments without running them through a virus scanner first.
- Go to the site like you would normally (not using any information form the email). For example, if you get what appears to be a notice from PayPal that something has happened to your account, type paypal.com into the browser's address bar and log into your account. If they have anything to tell you, they'll tell you there.
It's as simple as that to be safe.