July 21, 2017
Phishing is a serious information security threat, and is used to describe any malicious email that includes a link attempting to lure users to a fake website. If a user clicks the link, they can then be tricked into giving sensitive information, or may have malware downloaded onto their system. For example, the link could take you to a fake site that looks like the University’s Single Sign-On page, or to a fake copy of your bank's website. If you try to log in with your username and password, the cyber criminals can then capture your login credentials which they can use for all kinds of malicious deeds. Phishing emails have become more sophisticated and are designed to look authentic. If you are busy or distracted, a quick glance might lead you to believe it is a legitimate request.
How do I prevent accidental URL clicks in an email?
There are many articles that focus on the steps to take after clicking on phishing link. However, the objective of this article is to provide some proactive options within the Microsoft Outlook desktop email client to prevent users from accidently clicking malicious links included in their email. By default, within Outlook, URLs embedded in email messages will display as a clickable link. Simply disabling clickable links in your email can protect you from malicious phishing threats and ransomware.
Option 1 - Disable Automatic Hyperlinking in Microsoft Outlook
Within the Outlook desktop client
1. Click the File tab in the Ribbon, and then click Options on the menu.
2. Click Mail tab
3. Click Editor Options
4. Click AutoCorrect Options
5. Click AutoFormat tab
6. Uncheck “Internet and network paths with hyperlinks” settings
Option 2: View All Email Messages in Plain Text
Within the Outlook desktop client (Outlook 2010 or later required)
1. Click the File tab in the Ribbon, and then click Options on the menu.
2. Click Trust Center on the Options menu.
3. Click the Trust Center Settings tab.
4. Click Email Security.
5. Under Read as Plain Text, click to select the Read all standard mail in plain text check box.
6. To include messages that are signed with a digital signature, click to select the Read all digitally signed mail in plain text check box.
When the Read all standard mail in plain text option is turned on, you receive the following notification on the InfoBar at the top of the message - "This message was converted to plain text"
Note If you decide to view the plain text message in its original format, click the InfoBar, and then select Display as HTML or Display as Rich Text.
After making either of the above changes, the next time when you receive an email with an embedded URL you will not be able to click the link and open it automatically. Instead, you will need to first analyze whether the link is safe to open, and then copy/paste the URL into your web browser.
As always, please engage the Information Security team if you have security concerns or to report an incident (infosec@uoguelph.ca [1]).
Written by: Manikantan Nair (Network Security Analyst)