Know and understand minimising the potential danger of using email including an awareness of the potential dangers of opening or replying to an email from an unknown person, an awareness of the risks associated with sending personal identifiable data

Topic 8 – Safety and Security: Email

Learning objective

Students will know and understand how to minimise the potential danger of using email, including:

  • the risks of opening or replying to an email from an unknown person,

  • the dangers of sending personally identifiable data (PID) or images,

  • the wider e‑safety principles that apply to all online communication, and

  • the legal and policy framework that governs safe email use.

1. e‑Safety context

e‑Safety is the responsible and secure use of ICT. Email is one of many online tools (social media, instant messaging, cloud storage, etc.) that can be mis‑used. The same core principles apply to every digital service:

  • Think before you click, share or reply.

  • Respect privacy. Follow the school’s e‑safety policy and the UK Data Protection Act 2018 (GDPR).

  • Report anything suspicious. Your teacher or school IT team must be informed immediately.

2. Why email can be risky

Email is popular with attackers because it can carry:

  • Hidden code (malware, ransomware) in attachments or links.

  • Impersonation (phishing, spoofing, business‑email compromise).

  • Accidental disclosure of personal or confidential information.

  • Unencrypted transmission – unless the client uses TLS/SSL (STARTTLS) the content can be intercepted.

3. Common email threats

  1. Phishing – deceptive messages that try to obtain login details or personal data.

    • Cues: urgent language, spelling/grammar errors, mismatched URLs, requests for passwords or money.

    • Example: “Your account will be closed – click http://bank‑secure‑login.com to verify.”

  2. Malware / ransomware attachments – files that execute harmful code when opened.

    • Never open executable files (.exe, .bat, .js) or macro‑enabled Office documents unless you are 100 % sure of the source.

    • Scan every attachment with up‑to‑date anti‑virus software before opening.

  3. Spam – unsolicited bulk mail that may contain scams or unwanted advertising.

  4. Spoofing – forged sender addresses that make the email appear to come from a trusted source.

  5. Business‑Email Compromise (BEC) – attackers impersonate a senior colleague or supplier to request payments or confidential data.

    • Mitigation: verify any payment or data request via a separate channel (phone, face‑to‑face, or a known instant‑messaging account).

  6. Ransomware delivery – often spread through malicious links or infected attachments.

    • Do not click links that claim “your files are encrypted”. Report immediately.

4. Safe email practices (client‑side)

Follow these steps each time you handle an email:

  1. Verify the sender – check the full address, look for misspellings or unexpected domains (e.g. john.doe@school.co.uk vs john.doe@schoolc0.uk).

  2. Hover over links before clicking to reveal the real URL; if the domain does not match the claimed source, do not click.

  3. Handle attachments cautiously:

    • Open only PDFs, Word/Excel files after scanning.

    • Avoid executables and macro‑enabled files unless absolutely necessary.

    • If your client offers a “sandbox” or “safe view”, use it.

  4. Use strong passwords and two‑factor authentication (2FA) for your email account.

  5. Keep software up to date – email client, operating system, anti‑virus, and web browsers.

  6. Ensure encrypted transmission (TLS/SSL) – confirm your client shows a lock icon or “Connection is secure (STARTTLS)”.

  7. Encrypt sensitive messages when PID is involved (see Section 7).

  8. Report suspicious mail to your teacher or school IT staff immediately.

5. Data classification – what counts as PID?

ClassificationDefinitionExamples
Personally Identifiable Data (PID)Any information that can directly identify an individual.Name, school email address, home address, phone number, National Insurance number, passport number, biometric data.
Sensitive Personal DataPID that reveals health, ethnicity, religion, sexual orientation, or criminal record.Medical reports, disability statements, religious affiliation.
Non‑Sensitive DataInformation that does not identify a specific person or is already public.General school announcements, timetables, public news articles.

Only send PID when it is strictly necessary and always apply the protections described in Section 7.

6. Handling attachments and viewing full email headers

Viewing full headers (Gmail & Outlook)

  1. Gmail

    1. Open the email.

    2. Click the three‑dot menu ► “Show original”.

    3. A new tab displays the full header – copy it for reporting.

  2. Outlook (desktop)

    1. Open the email.

    2. File ► Properties.

    3. In the “Internet headers” box you will see the full header – copy it for reporting.

Secure deletion

  • After you have confirmed the recipient has securely stored or deleted the PID, use the email client’s “Delete permanently” (or “Empty Trash”) function.

  • If the device is shared, run a secure‑delete utility or clear the recycle bin to prevent recovery.

7. Sending personally identifiable data (PID) safely

Why it matters

Under the UK Data Protection Act 2018 (GDPR) schools must protect PID. Mishandling can lead to identity theft, privacy breaches, disciplinary action, and legal fines.

How to protect PID

  1. Encrypt the message or attachment

    • End‑to‑end encrypted email (PGP or S/MIME) – both sender and recipient need matching keys.

    • Or encrypt the attachment (e.g., ZIP with a strong password) and share the password via a different channel (SMS, phone call).

  2. Use a secure file‑sharing service (OneDrive, Google Drive, ShareFile) with access limited to the intended recipient and an expiry date.

  3. Limit the amount of data – only include what is strictly required; never place PID in the subject line.

  4. Request confirmation and deletion – ask the recipient to acknowledge receipt and delete the email/attachment after use.

  5. Never send images of official documents (passports, driving licences) unless absolutely required and encrypted.

8. Reporting & incident response

If you suspect a phishing attempt, malware, or accidental disclosure:

  1. Report the email to your teacher/IT staff (include the full header if possible).

  2. Isolate the device – disconnect from the internet and stop using the compromised account.

  3. Change passwords on the affected account and any other accounts that share the same credentials.

  4. Follow any additional instructions from the school’s IT team (e.g., run a full anti‑virus scan, reinstall the client).

9. Legal and ethical consequences

  • Data Protection Act 2018 / GDPR – breaches can result in fines for the school and disciplinary action for the student.

  • Computer Misuse Act 1990 – unauthorised access, distribution of malware, or deliberate sabotage is a criminal offence.

  • School behaviour policy – unauthorised sharing of personal images may be treated as harassment or bullying.

10. Classroom activity – Phishing‑simulation quiz

Purpose: develop AO3 (analysis & evaluation) skills by recognising real‑world phishing cues.

  1. Prepare a set of 5‑6 mock emails (some genuine, some phishing). Include typical cues: urgent language, mismatched URLs, wrong sender domain, attachment‑only requests.

  2. Students work in pairs to:

    • Identify the email’s authenticity.

    • Explain which clues led to their decision.

    • Suggest the correct response (reply, delete, report).

  3. Discuss answers as a class, highlighting any misconceptions and reinforcing the checklist in Section 11.

11. Email safety checklist for students

ActionCheck
Verify sender’s full email address
Hover over every link to view the real URL
Open attachments only after anti‑virus scan
Use strong password + 2FA for the email account
Ensure TLS/SSL (lock icon) is active
Encrypt PID or use a secure file‑sharing link
Limit PID – never place it in the subject line
Ask recipient to confirm receipt and delete the message
View full email header when in doubt (Gmail/Outlook)
Report any suspicious email to teacher/IT staff
Securely delete the email after confirmation

12. Summary of threats and mitigation strategies

ThreatPotential impactMitigation strategy
PhishingLoss of login credentials, financial fraudCheck sender, hover links, look for spelling/urgency cues, use 2FA, verify requests via another channel.
Malware / ransomware attachmentSystem infection, data loss, ransom paymentScan attachments, avoid executables/macros, keep software updated, use sandbox or safe‑view.
SpamClutter, exposure to scamsEnable spam filter, delete unsolicited mail, never reply to unknown senders.
SpoofingDeception, unauthorised data disclosureCheck full header, verify domain, confirm via phone or face‑to‑face.
Business‑email compromiseUnauthorised payments, data theftVerify payment/data requests on a separate channel, use digital signatures where possible.
Sending PID / imagesIdentity theft, privacy breach, legal penaltiesEncrypt email or attachment, limit data, use secure file‑sharing, request deletion, avoid PID in subject line.

Suggested diagram: Flowchart of safe email handling – from receipt, through verification, to safe reply, archive or deletion.