Email Security Tips

In an ongoing effort to improve security and maintain compliance with other mailbox providers, Tufts University will be updating email authentication policies for inbound and outbound mail. See the Proofpoint user guide page on "Email Authentication Policies" for the most up-to-date information

Tips for Securing Exchange

An important step to securing your email messages is to minimize unnecessary storage of copies, as well as the number of places where copies of emails are stored. Tufts email is administered through the Outlook email application and the emails themselves are stored on the Exchange servers. Both Outlook and Exchange, and any devices you access email on, will keep a copy of your emails. To reduce the number of copies that are stored, and the number of places where they are stored, follow these tips:

  • Disable forwarding to another email client (like Gmail or Yahoo)
  • Use the Outlook Web App instead of the desktop client, so that copies of your emails are not stored on your machine.

Phishing and Social Engineering Scams

Phishing is an attempt to acquire sensitive personal information, like usernames, passwords, and financial information. Phishing can take place in any medium, but often occurs when a phisher sends fake emails designed to trick you into thinking the sender is your bank, credit card company, a Tufts email or network administrator, or a Tufts vendor.

Tufts University will never request your password or personal information via email. You should never divulge your password to anyone.

Beware of emails that:

  • Fail to address you by your name and use generic salutations like Dear "Exchange User," "Email User," "Tufts Employee" or first.last@tufts.edu. These are general phishing attempts.
  • Use your name but come from a source you are not familiar with or you did not expect to be contacting you for the reason stated. These are spear phishing attempts, which often target individuals in positions likely to have access to sensitive information.
  • Create some type of crisis that will adversely affect you (e.g., you have exceeded your email quota or your email account is about to be shut down) unless you supply your Tufts Username and Tufts Password.
  • Warn that you have already been the victim of a phishing attack and you must confirm your identity by supplying your Tufts Username and Tufts Password.
  • Request that you call or email them with personally identifying information, like your bank account number.

Avoid using or clicking on links in emails. In the image example below, the user can see that this is not a legitimate request by hovering their cursor over the link to reveal the true link address.

Example of email phishing scam

Know that no Tufts IT professional will ever ask you for your password or send a link for you to click to "fix" an account or email issue. If you receive a suspicious email asking you to click a link and provide your account name, password or any other personal information, report it immediately to the Technology Services Support Center at (617) 627-3376 or via email to it@tufts.edu.

Tools for Sending Protected and Encrypted Emails

Tufts has the following options available for users to securely send emails to other people using encryption. Before using email to share sensitive and/or private information, even with encryption, it’s always important to consider applicable government and industry laws and regulations, University and local policies, guidelines and practices.

  1. Secure email provides a way to send encrypted messages containing sensitive and/or private data to people outside of Tufts (i.e., to addresses other than @tufts.edu). See Sending Secure Email online guide.
  2. Adobe Pro Suite gives users the ability to protect and encrypt a pdf file. See Adobe Encryption.
  3. Microsoft Office Suite - Word, Excel, and Powerpoint have options to protect and encrypt Office files. See Microsoft Encryption.

Anti-spam Protection

Proofpoint Inc. is an anti-spam product that acts as a gatekeeper for the university email servers to filter annoying or malicious spam messages out of your email inbox. The filter catches many of the spam messages sent to Tufts email users, but cannot catch all. Proofpoint also has a variety of user-controlled features to help you manage spam emails, which may contain malware or be from senders that are "phishing" for your personal information. Use Proofpoint to:

  • Mark messages or certain email addresses as spam
  • Release emails that were accidentally marked as spam or add email addresses to a safe senders list

To use Proofpoint's self-service features, see Proofpoint (Email anti-spam).