Phishing

What is phishing?

A phishing attack is when a criminal sends you an email claiming to be from Fastmail or another company you have a relationship with. The emails are designed to look legitimate, and attempt to get you to divulge your login details or to install malware on your computer.

A common scam for phishing emails claiming to be from Fastmail is to say that you have "pending emails" that have been placed "on hold", or to warn you that your "account will be closed". A link in the email then takes you to a site that looks a lot like the real Fastmail website, but if you try to log in your password is now in the hands of the attacker. (Just as a reminder, Fastmail never places emails on hold and will always deliver emails as soon as possible without any interaction required.)

How to recognise phishing emails

There are a number of traits you can look for to help recognise phishing emails:

Links to login pages. If you click a link in an email and it takes you to a login page, stop! Carefully check that the URL in the address bar of your browser is where you expect to be, even if the page itself looks identical to the normal website. It's unfortunately all too easy for an attacker to duplicate the contents of a site.

For example, if you click a link and it looks like you're at the Fastmail homepage, stop and look at the URL. Does it show the padlock and start with https://www.fastmail.com? If not, you are about to send your password to an attacker, not Fastmail. Just close the window and report the phishing email as spam.

Spelling and bad grammar. Messages from reputable companies, including Fastmail, are carefully checked by copy editors to ensure the message is professional and error-free. Be wary of emails with spelling mistakes or grammatical blunders. Phishing attacks are often written by criminals with a less-than-perfect grasp of the language.

Pending messages or urgent warnings. Beware of urgent warnings (such as your account will be closed) or "pending messages". If in doubt, contact the supposed sender of the message through another channel to verify its authenticity. You can easily verify legitimate messages from Fastmail; see the next section.

If you do spot a phishing email, you can report it by clicking "More" at the top right in the email, and then "Report Phishing":

If enough users report an email as phishing, that will prevent other users from ever seeing the email.

How do I know an email is really from Fastmail?

All legitimate emails from Fastmail sent on or after 15th October 2014 will have a white tick in a green circle displayed next to the sender's name in both the mailbox list and on the message itself. It will look exactly like this in the mailbox:

The tooltip will say who we have verified the message is from

And like this on the message:

The tooltip will say who we have verified the message is from

Please note, we can only do this in our web interface and our mobile apps, it will not appear in other email clients.

If you are using an email client and you're not sure if a message is really from Fastmail, before doing anything else, log in via our web interface and look for the tick on the suspicious message.

What else can I do to stay secure?

Set up two-step verification. Using two-step verification means an attacker can't get in to your account using just your password. Unless they also have access to your verification device, they will be locked out.

Use a password manager. A password manager saves your password so you don't have to remember it. This means you can use a different password for every site (password reuse is the second most common way attackers manage to steal credentials to a Fastmail account). The password manager can even generate a complicated password for you so it's completely unguessable. Most importantly, a password manager is never fooled by a site pretending to be Fastmail (or your bank). If the URL (site address) is different, it will not fill the password in. We recommend 1Password, LastPass or KeePass.

Double check the site address before typing your password. Try to get into the habit of always looking at the address bar before you type in your password. If it doesn't start with https://www.fastmail.com/, you're not at Fastmail! Close the browser window immediately.

Check the address bar for the green padlock badge with the text “Fastmail Pty Ltd”. Attackers can make their fake website look like the real one, but they can't fake that green padlock.

Google Chrome:

Mozilla Firefox:

Safari:

Internet Explorer:

Opera:

Never reuse your Fastmail password at another service Your email is the key to your digital life. Almost every web service you use, such as Amazon, Facebook or Twitter, allows you to reset their password by sending a link to your email address. It’s vitally important to keep your email password secure, as it provides access to everything else!

When you reuse your Fastmail password at other sites, you’re making it much easier for attackers to potentially break in to your account. Other sites often don’t have the same high security measures as Fastmail, which makes them much easier for criminals to break in to. If they get hold of your email address and the same password that you use for Fastmail, the attacker can then access your email account and get into everything else you use online.

Always use a unique password for Fastmail that you don’t use elsewhere.

What happens if I fall for a phishing scam?

If you think you may have given your username and password to a phishing site, the most important thing to do is to change your password immediately. You can check the log of recent logins to see if the attacker has used the details or not. If not, no worries, you're safe now, just be sure to never reuse the password you gave the attacker. If the attacker has logged in, be careful to check other important sites you use to make sure they have not had their password reset via email. If in doubt, change your other passwords as well.

If you fall for a phishing scam and don't realise, in most cases the attacker will soon start using your account to send spam. We will detect this and lock the account. If this happens, when you next try to log in you will get a message telling you that the account is locked. You will have to use our account recovery tool and verify your identity to unlock the account again.