Know and understand minimising the potential danger of using email including an awareness of the potential dangers of opening or replying to an email from an unknown person, an awareness of the risks associated with sending personal identifiable data

Safety and Security – Email (IGCSE ICT 0417)

1. Why Email Safety Matters

Email is the main method of communication in schools, homes and workplaces. Mis‑use can lead to:

  • Loss of privacy or identity theft

  • Financial loss (card‑fraud, ransomware payments)

  • Damage to personal or organisational reputation

  • Legal or disciplinary consequences if personal data is mishandled

2. eSafety Principles & Data‑Protection Legislation (Syllabus 8.2)

Each eSafety practice supports one or more of the five GDPR‑style principles that appear in the syllabus.

Data‑protection principleeSafety practiceHow it helps
Lawful processingOnly send personal data when you have a legitimate reason.Prevents unauthorised collection or distribution of PID.
Purpose limitationLimit the amount of personal data sent; use it only for the stated purpose.Reduces the chance of data being reused for other, unwanted purposes.
Data minimisationSend the minimum necessary information; redact unnecessary fields.Less data is exposed if the email is intercepted or forwarded.
AccuracyCheck that any personal details you send are correct before sending.Prevents propagation of incorrect or outdated information.
SecurityStrong passwords, 2FA, encryption, anti‑malware, regular updates.Protects data from unauthorised access, interception and corruption.

3. General Digital‑Safety Practices (All Online Activities)

  • Password hygiene

    • At least 12 characters, mix of upper‑/lower‑case, numbers and symbols.

    • Avoid names, birthdays, “123456”, or repeated characters.

    • Change every 6 months; never reuse on another service.

    • Consider a reputable password manager.

  • Two‑factor authentication (2FA) – a second verification step (authenticator app, hardware token, or SMS code).

  • Anti‑malware / anti‑virus protection

    • Install a reputable security suite; keep definitions up‑to‑date.

    • Run a full scan weekly and a quick scan after any suspicious download.

  • Software updates – enable automatic updates for the OS, web browser and email client.

  • Privacy settings for email clients

    • Disable automatic image loading (stops tracking pixels).

    • Turn off “request read receipt” unless required.

    • Review what personal information the provider stores.

4. Specific Email‑Related Threats (Syllabus 8.3 – Threats to Data)

ThreatHow it worksTypical clue
PhishingFake message pretending to be from a trusted source to steal login details.Urgent language, mismatched URL, request for passwords.
PharmingRedirects you to a fraudulent website even if you type the correct address.URL looks correct but contains a subtle miss‑spelling.
SmishingPhishing via SMS that contains a link to a malicious email or site.Unexpected text claiming to be from a bank or delivery service.
VishingVoice‑call phishing – the caller asks for personal or banking details.Caller claims an urgent security problem.
SpamUnsolicited bulk email, often commercial, sometimes containing malware.Generic greeting, many recipients, “unsubscribe” link.
Malware / Ransomware / SpywareSoftware that infects your device when an attachment is opened or a link is clicked.Executable files (.exe, .scr), macro‑enabled Office docs, compressed archives.
Card‑fraud / Payment‑fraudFake invoices or “payment confirmation” emails that request card details.Unexpected order, urgent payment request, mismatched sender address.
Tracking pixels / read‑receiptsInvisible images that notify the sender when you open the mail.Image loads from an external server; can be blocked by disabling auto‑images.
Social‑engineering (broader category)Manipulating trust to obtain confidential information – includes phishing, vishing, smishing, etc.Personalised language, reference to recent events, building a “relationship”.
Password interception (key‑logging)Malicious software records keystrokes to capture usernames and passwords.Unexpected slowdown, unknown programs running in the background.

5. Risks of Opening or Replying to an Email from an Unknown Person

  1. Malicious attachments – can install viruses, ransomware or spyware.

  2. Deceptive links – may lead to phishing sites that capture credentials.

  3. Automatic tracking – hidden images or links reveal when you read the message.

  4. Reply‑all storms – accidental mass replies expose your address to many recipients.

  5. Social‑engineering traps – the sender builds trust before asking for personal data.

  6. Pharming via forged URLs – a link looks legitimate but redirects to a fake login page.

  7. Password interception – opening a malicious attachment may install a key‑logger.

6. Risks of Sending Personal Identifiable Data (PID) or Images via Email

PID includes names, addresses, phone numbers, dates of birth, ID numbers, bank details and photographs that can identify an individual.

  • Unauthorised interception if the email is not encrypted (data can be read in transit).

  • Accidental forwarding to the wrong recipient.

  • Storage on the sender’s or recipient’s mail servers – these may be breached later.

  • Long‑term retention in inboxes and backups, increasing exposure over time.

  • Legal breach of data‑protection legislation if PID is shared without a lawful reason.

7. Legal and Ethical Responsibilities (Syllabus 8.2)

  • Data‑protection legislation (e.g., Data Protection Act, GDPR‑style principles)

    • Lawful processing – you must have a legitimate reason to handle personal data.

    • Purpose limitation – use data only for the purpose it was collected.

    • Data minimisation – collect and send only the information that is strictly necessary.

    • Accuracy – keep data up‑to‑date and correct any errors.

    • Security – protect data with encryption, strong passwords and access controls.

  • Breaching these rules can lead to disciplinary action at school, civil fines for organisations, and loss of trust.

8. Protection of Data (Syllabus 8.3 – Protection of Data)

  • Encryption

    • S/MIME – built into Outlook and many corporate systems; encrypts the whole message and can digitally sign it.

    • PGP / OpenPGP – free tools (e.g., Thunderbird + Enigmail) that use public‑key cryptography.

    • If native encryption is unavailable, use a secure file‑sharing service (Google Drive, OneDrive) with a password‑protected link.

  • Digital certificates – electronic documents that bind a public key to an identity; used by S/MIME and SSL/TLS.

  • SSL / TLS – protocols that encrypt the connection between your email client and the mail server (look for “https://” or a padlock in web‑mail).

  • Firewalls – hardware or software that filters incoming/outgoing traffic, blocking many malware‑related attacks.

  • Two‑factor authentication – already covered in Section 2.

  • Biometric authentication (example) – fingerprint or facial‑recognition login on a device; adds a “something you are” factor.

  • User‑ID / password – the basic “something you know” credential; must be strong and unique.

9. Email Etiquette & Netiquette (Syllabus 10 – Communication)

  • Use a clear, concise subject line that reflects the content.

  • Start with an appropriate greeting (e.g., “Dear Mr Smith,”) and end with a polite sign‑off.

  • Keep the body brief, use short paragraphs and bullet points where appropriate.

  • Check spelling, grammar and tone before sending.

  • Use CC for people who need to be informed; use BCC when you do not want recipients to see each other’s addresses.

  • Never use ALL CAPS – it is interpreted as shouting.

  • Respond within a reasonable time (usually 24 hours for school/work).

  • Respect cultural differences and avoid humour that could be mis‑interpreted.

10. Audience Awareness & Copyright (Syllabus 9 – Audience)

Why audience matters

  • Identify the recipient(s): teacher, classmate, employer, client, etc.

  • Choose tone and formality accordingly – formal for business/academic, informal for peers.

  • Structure the email to suit the purpose (request, report, invitation, etc.).

Copyright basics

  • Only use images, videos or text that you have created yourself or that are licensed for reuse (e.g., Creative Commons).

  • Give proper attribution when required (author name, source, licence).

  • Do not copy large sections of copyrighted material without permission.

11. File Management – Formats & Compression (Syllabus 11)

  • Common safe formats

    • Documents – .pdf (read‑only), .docx, .xlsx

    • Images – .jpg, .png (avoid .bmp for size)

    • Archives – .zip or .7z (use a strong password if the archive contains PID)

  • Compression – reduce file size before attaching; most operating systems allow right‑click → “Compress”.

  • Folder hierarchy – store received and sent attachments in clearly named folders (e.g., School/2025‑Term‑1/English/Assignments) to avoid losing track of sensitive files.

12. How to Minimise the Potential Danger of Using Email

Apply these steps each time you receive, read, reply to or send an email.

12.1 Verify the Sender

  1. Hover over the displayed name to see the full email address.

  2. Check the domain (e.g., @school.edu vs. @school.co).

  3. If anything looks odd, contact the sender via a known alternative channel (phone, face‑to‑face, a previously verified email address).

12.2 Handle Attachments and Links Safely

  • Do not open unexpected attachments – even from a known sender.

  • Ask the sender to confirm the attachment via a separate message or phone call.

  • Hover over every link; compare the URL shown in the status bar with the claimed destination.

  • Copy the link into a new browser tab (do not click directly) and verify HTTPS and correct spelling.

  • Scan all attachments with anti‑malware before opening.

12.3 Use Encryption for Sensitive Emails

  • S/MIME or PGP – encrypt the whole message and optionally add a digital signature.

  • SSL/TLS – ensure the web‑mail interface shows a padlock; this protects the connection.

  • If built‑in encryption is unavailable, upload the file to a password‑protected cloud folder and send only the link.

  • Remember: encryption protects data in transit; it does not stop the recipient from forwarding the email.

12.4 Protect Your Privacy Settings

  • Disable automatic image loading (usually under Settings → Privacy or Reading).

  • Turn off “request read receipt” unless required for a specific purpose.

  • Review who can see your profile picture and contact details in the email service.

12.5 Limit the Amount of Personal Data Sent

  • Ask yourself: “Is this name, address, DOB and a photo of my ID really needed?”

  • Redact unnecessary fields with a PDF editor or image‑editing tool.

  • Prefer a protected cloud link to an attachment when large or sensitive files are involved.

12.6 Maintain Account Security

  • Use a strong, unique password for the email account.

  • Enable 2FA (app‑based codes or hardware token).

  • Log out of shared computers and clear browser cache after each session.

12.7 Keep Software & Anti‑Malware Updated

  • Enable automatic updates for the OS, browser and email client.

  • Update anti‑malware definitions daily; run a full scan weekly.

12.8 Regular House‑keeping

  • Delete emails that contain PID or sensitive attachments as soon as they are no longer needed.

  • Empty the “Deleted Items”/“Trash” folder regularly.

  • Archive old, non‑sensitive correspondence in a secure, organised folder structure.

13. Checklist for Safe Email Use

ActionWhy It Is ImportantHow to Do It
Check sender addressPrevents impersonation and phishingHover over the name, read the full address, verify the domain.
Verify attachmentsStops malware infectionConfirm via phone or a separate email; scan with anti‑virus before opening.
Hover over linksDetects malicious URLsMove the cursor over the link; compare displayed URL with the claimed site.
Use encryption for PIDProtects data in transitEnable S/MIME or PGP, or share a password‑protected cloud link.
Limit personal dataReduces exposure if intercepted or forwardedSend only essential information; redact unnecessary parts.
Enable two‑factor authenticationAdds a second security layerActivate 2FA in the provider’s security settings (app code or hardware key).
Keep software & anti‑malware updatedCloses known security vulnerabilitiesTurn on automatic updates; run daily definition updates and weekly full scans.
Disable automatic image loadingPrevents hidden tracking pixelsSettings → Privacy → “Don’t display external images automatically”.
Delete unnecessary emails & empty trashReduces data that could be compromised laterRegularly purge the inbox and permanently delete items from the Trash folder.
Apply appropriate email etiquetteEnsures clear, professional communicationUse a relevant subject, greeting, concise body, proper sign‑off, correct CC/BCC.
Consider audience & copyrightMatches tone to recipient and respects intellectual propertyIdentify the audience, choose formality, use only licensed images and cite sources.
Save attachments in safe formats & compress large filesFacilitates easy opening and reduces risk of size‑related errorsUse .pdf, .jpg/.png, .zip; compress before attaching.

Suggested diagram: Flowchart of safe email handling – from receiving the message, verifying the sender, checking attachments/links, deciding whether to encrypt, applying etiquette, and finally replying or forwarding.