11

I happen to have a very common name.

I own the corresponding gmail account @gmail.com and I regularly receive emails meant for someone else.

Because they very often seem to contain important information, I always reply to let the senders know that the actual recipient of their emails was not who they wanted.

Some months ago, my company asked all employees to follow an online course on security risks.

The course suggests to never reply to emails sent by someone we do not know.

It seems reasonable as a policy for a company.

I am wondering if this is something I should do even with my personal account with the consequence that probably an honest person will not receive an important information.

llorrac
  • 324
  • 1
  • 7
Marco Altieri
  • 633
  • 5
  • 13
  • 2
    What I'd do is to judge whether the sender is an honest person or not, and reply if and only if I am reasonably confident it is so. You can often tell from the email itself (the email address, the language, the contents and the legitimacy of the email's purpose) and also by checking up on the company itself. If this is too much trouble, it would be safer not to reply unless you are 100% sure of not getting malware or scams from anyone at all (a malicious person can easily use a different email than the one they use to test your response to carry out the actual attack). – user21820 Feb 18 '18 at 04:29

1 Answers1

15

There are a number of reasons that replying to an email from someone you don't know may be a bad idea in a business context:

  • In some situations you may see a "from" email address that is spoofed, with a different reply email address. In such a situation you may reply to the "from" email address under some assumption of who they are, when in reality you're talking to someone completely different.
  • If the sender is a spammer, you're revealing that your email address is active.
  • If the sender is gathering intelligence, your email signature may reveal your name, phone number, job title, department name, or other internal details.
  • If the sender is trying to phish you, replying allows them to better tailor their phish and determine if you saw through the pretext.

Ultimately it's down to you to think about the context of the situation when you're replying. Check that the email your sending is going to the same address the original was from (when you click reply it'll fill the reply-to email in the 'to' field) and think about whether you might be unintentionally revealing information about yourself.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 5
    My question was not clear. It seems reasonable not to reply when using a business account. My question is more about my personal account. – Marco Altieri Feb 17 '18 at 17:46
  • @MarcoAltieri That was my point in the last paragraph. Think about it in the same terms, because the same threats apply. If they're not relevant threats to the specific context, then don't worry about them. – Polynomial Feb 17 '18 at 18:03
  • 1
    Related: I read somewhere about a business that was caught in a fantastic scam by employees "Replying" to seemingly legitimate business-related emails. Somehow this ended up with the company in a new contract with an unintended third party, or something. Wish I could remember where I saw the story. – Lightness Races in Orbit Feb 17 '18 at 22:23
  • 1
    @LightnessRacesinOrbit You can even have something like https://www.knowbe4.com/ceo-fraud – JAB Feb 18 '18 at 05:16