Email phishing attacks have been around for more than 20 years and used to be very easy to spot. But as phishing attacks become more and more sophisticated, people increasingly fall for phishing attacks. Criminals use phishing emails to gain access to your online accounts, which could enable them to steal your money or install malware on your computer. Prominent attacks like the WannaCry ransomeware attack oftentimes start with a phishing attack, usually via email.
Email phishing attacks
Update 2019-11-29: Recently we have seen an increased number of phishing emails for all kinds of services being sent to our users. That's why we have made some changes to Tutanota to makes it harder for malicious attackers to get through to your Inbox.
We now send more emails to spam, particularly where a malicious attacker pretends to send you an email from an online service by faking their sending address.
New spam filter may lead to false positives
However, this also may affect emails from a few online services, for instance newsletters or booking confirmations. If this happens, the company in question has failed to set up their email server correctly. Please get in touch with them and ask them to reconfigure their email server.
How to stop false positives yourself
If you are experiencing a false positive and would like future emails to go to the Inbox, please whitelist the sender via spam rules. When viewing the email, click 'SHOW MORE', then click on the sending email address, choose 'Add spam rule', and set the domain (not just the email address!) to 'No spam'.
Please note: If you define this domain as no spam, spammers can again send you phishing emails by faking this domain's address.
Inbox rules: Spam rules have a higher priority than inbox rules. If an email is sent to your spam folder, the inbox rules can no longer be applied. Once you have whitelisted the sending domain by putting it to 'No spam' via the spam rules, the inbox rules can be applied again.
Email phishing: How we make sure your Tutanota account stays safe
Now, we'd like to explain how we make sure that no one can phish your Tutanota email address and password. When you receive an email from the Tutanota Team, we never ask you to click a link to confirm or update your login credentials.
We never ask for your password.
How to spot a phishing email for your Tutanota account
To spot a phishing email for your Tutanota account is very easy: These emails do NOT contain a red tag line. This example shows the difference. The first email has been sent by a random Tutanota user trying to impersonate one of our team members, the second one is indeed comings from one of our team members - in this case from Hanna.
An email from the Tutanota Team must always display a red tag line (mint green tag line when using the dark theme) with Tutanota Team:
If this is an announcement - like in the above screenshot - there is no name or email address given next to the tag line. If this email is coming from our support team or one of our team members, the email address is written next to the red (or mint green) Tutanota Team tag line.
This red (or mint green) tag line cannot be added by someone impersonating us who is trying to phish your Tutanota password. It is built into the code of our email client.
Official Tutanota sending domain: tutao.de
When we started building Tutanota, we knew that for an email service it is of crucial importance that no one can impersonate us or members of our team. However, everybody can register for any Tutanota email address.
To solve this dilemma we have been using our company domain rather than Tutanota domains as official email addresses from the start. Our company, which is behind Tutanota, is called the Tutao GmbH. If you receive an email from the Tutanota team, the mail address will always end in @tutao.de.
Why are email accounts targeted with phishing emails?
Your email account holds a lot of sensitive information: You register on most sites like Amazon, PayPal, eBay etc. with your email address, and important institutions like banks send you information via email. This makes your email account the number one target for two reasons.
Many people receive phishing emails that are spoofed in such a way that they look like they are coming from Facebook, Google, or their bank, etc. asking them to enter their login information after clicking a link provided.
Phishing attacks also target your mailbox directly, trying to gain access to your mailbox login. This is even more dangerous because when attackers have access to your mailbox, they can ask for a simple password-reset for all online accounts linked to your email address, and just like that they can access and abuse these accounts.
How Tutanota protects you from email phishing attacks
That's why our secure mail service Tutanota does everything possible to protect you from phishing attacks.
Tutanota uses spam filtering that detects most phishing emails so that you do not have to be concerned about them. However, there are always spam mails - also phishing mails - that slip through.
In Tutanota your mailbox is fully encrypted; we have absolutely no access to your encrypted data. Only your password can decrypt the data. So please keep in mind that we would never ask you for your mailbox password.
We can not reset your password to safeguard your Tutanota account.
Criminals often abuse the password-reset function via email to gain access to your online accounts with a phishing email. So to protect your encrypted mailbox to the maximum, there is no option that you can ask us to reset your Tutanota password via email.
If you can't ask for a password-reset, no criminal impersonating you can either. Please remember to write down your password and your recovery code somewhere safe. Only you yourself can reset your password with the help of your recovery code.
Email phishing attacks targeted at Tutanota
We are regularly being informed by users that they have received phishing emails, looking like this.
This email shows everything that's fishy about phishing, and will help you to easily detect phishing emails:
The sender's email address is wrong. When you are logged in in the browser the header in your Tutanota mailbox shows you the sender's name and the sender's email address so that you can easily spot when an email is coming from a wrong sender. In the app the sender's email address isn't shown automatically, but you can easily check it by tapping on the sender's name.
The content of the email looks fishy as well: The attackers pretend that there is a time urgency, they ask to enter login credentials following a link provided. Never fall for such emails, that's how a typical phishing email looks like.
Our main tip to prevent phishing attacks is very easy: Never share your Tutanota password. Not even with us.
Tips on how to prevent email phishing
Check the sender's email address.
If asked to enter login credentials via a link provided, alarm bells must ring.
Check the link carefully: If the attackers try to steal your Tutanota login, the link provided will look similar, but not right. Instead of tutanota.com, the attackers might use 1u1nota.com.
If it looks wrong, it probably is wrong
Whenever you receive an email that looks fishy, it is very likely that it is a phishing email. When in doubt, just ask. You can find us easily on Twitter, Mastodon, Facebook, or Instagram, and, of course, via email.
If you receive a potential phishing email from a Tutanota domain, please forward it to email@example.com.
Recommended for further reading: Email Security Guide: 3 easy steps to keep your emails safe from hackers as well as Password Security Guide: How to choose a secure password.