Breaking news
…and more

How to Prevent Email Phishing Attacks: Never Share Your Password.

Beware of attackers trying to steal your login credentials via phishing emails. Here is how to keep your mailbox safe.

2017-05-18
Phishing emails are one of the most common attacks on the Internet that pose a severe threat to your online security. Here are some easy steps how to prevent a phishing attack from being successful. Most importantly: Never share your password.

Phishing has been around for more than 20 years and used to be very easy to spot. But as phishing attacks become more and more sophisticated, people increasingly fall for phishing attacks. Criminals use phishing emails to gain access to your online accounts, which could enable them to steal your money or install malware on your computer. Prominent attacks like the WannaCry ransomeware attack oftentimes start with a phishing attack, usually via email.

Why are email accounts targeted with phishing?

Your email account holds a lot of sensitive information: You register on most sites like Amazon, PayPal, eBay etc. with your email address, and important institutions like banks send you information via email. This makes your email account the number one target for two reasons.

  1. Many people receive phishing emails that are spoofed in such a way that they look like they are coming from Facebook, Google, or their bank, etc. asking them to enter their login information after clicking a link provided.

  2. Phishing attacks also target your mailbox directly, trying to gain access to your mailbox login. This is even more dangerous because when attackers have access to your mailbox, they can ask for a simple password-reset for all online accounts linked to your email address, and just like that they can access and abuse these accounts.

How Tutanota protects you from phishing

That's why our secure mail service Tutanota does everything possible to protect you from phishing attacks.

Tutanota uses spam filtering that detects most phishing emails so that you do not have to be concerned about them. However, there are always spam mails - also phishing mails - that slip through.

In Tutanota your mailbox is fully encrypted; we have absolutely no access to your encrypted data. Only your password can decrypt the data. For that reason, we would never ask you for your mailbox password.

There is no password-reset via email to safeguard your Tutanota account.

Criminals often abuse the password-reset function via email to gain access to your online accounts. So to protect your encrypted mailbox to the maximum, there is no option that you can ask us to reset your Tutanota password via email.

If you can't ask for a password-reset, no criminal impersonating you can either. Please remember to write down your password and your recovery code somewhere safe.

Phishing targeted at Tutanota

We've recently been informed by some users that they have received phishing emails, looking like this.

This email shows everything that's fishy about phishing, and will help you to easily detect phishing mails:

  1. The sender's email address is wrong. When you are logged in in the browser the header in your Tutanota mailbox shows you the sender's name and the sender's email address so that you can easily spot when an email is coming from a wrong sender. In the app the sender's email address isn't shown automatically, but you can easily check it by tapping on the sender's name.

  2. Tutanota is one of the few email services that warns you when the 'technical sender' differs from the 'from sender' so that you can spot spoofed mails easily.

  3. The content of the email looks fishy as well: The attackers pretend that there is a time urgency, they ask to enter login credentials following a link provided. Never fall for such emails, that's how a typical phishing email looks like.

Our main tip to prevent phishing attacks is very easy: Never share your Tutanota password. Not even with us.

Tips on how to prevent phishing

  1. Check the sender's email address.

  2. If asked to enter login credentials via a link provided, the alarm bells must ring.

  3. Check the link carefully: If the attackers try to steal your Tutanota login, the link provided will look similar, but not right. Instead of tutanota.com, the attackers might use 1u1nota.com.

Official Tutanota sending domain: tutao.de

When we started to build Tutanota, we knew that for an email service it is of crucial importance that no one can impersonate us or members of our team. However, everybody can register for any Tutanota email address.

To solve this dilemma we have been using our company domain rather than Tutanota domains as official email addresses from the start. Our company, which is behind Tutanota, is called the Tutao GmbH. If you receive an email from the Tutanota team, the mail address will always end in @tutao.de.

How to spot an email from the Tutanota Team

Tutanota displays a red tagline reading 'Tutanota Team' next to the sender's address if an email is coming from us or one of our team members. This red tagline cannot be added by someone impersonating us trying to phish your Tutanota password because it is built into the code of our email client.

If it looks wrong, it probably is wrong

Whenever you receive an email that looks fishy, it is very likely that it is a phishing mail. When in doubt, just ask. You can find us easily on Twitter, Mastodon, Facebook, Google+ or Instagram, and, of course, via email.

If you receive a potential phishing email from a Tutanota domain, please forward it to abuse@tutao.de.


Recommended for further reading: Online Security Guide: How to Keep Your Emails Safe from Hackers.