Frequently Asked QuestionsThe following is an ongoing effort to answer common questions posed by students, faculty and staff of the University. Look below to find answers to common security and privacy questions. If you have questions you'd like us to answer here, please send email to firstname.lastname@example.org.
Is it safe to click on unsubscribe links in unwanted email (aka spam)?
It depends. You are right to be concerned. If the email is from an unscrupulous source, then you could be confirming your e-mail and thus get on more unwanted lists. An unscrupulous email may also direct you to a web page that asks you for more information, or possibly downloads malware to your system.
If you are absolutely sure that the unwanted email is from a legitimate company, then the unsubscribe link should be safe to click on. A legitimate company would be one you've done business with before - signing up for a newsletter, ordering something, giving your e-mail at a charity event. NEVER give any password after clicking on an unsubscribe link. If the site wants you to log in before they'll unsubscribe you, type the address of the site directly into your web browser, and log in from there (Ex: Groupon does this).
The CAN-SPAM Act requires companies to provide an opt-out from receiving future email so legitimate businesses provide this feature. Note that many businesses use commercial professional service providers like ConstantContact or MailChimp to send marketing emails on their behalf. Email sent by ConstantContact provides a safeunsubscribe link that should also work as intended.
How can I reduce the amount of unsolicited email (aka spam) I receive?
Investigate the mail filtering options available for your email system and email client. You can create a filtering rule that automatically moves email with specific a sender, subject, or other attributes to a junk folder where you can delete it.
For your Carnegie Mellon email account in particular, check your spam filter settings to make sure you are filtering and discarding spam as identified by the campus email system. See http://www.cmu.edu/computing/email/cyrus/doc-email/mgmt/spam.html.
Mark the unwanted email as spam/junk and let your mail client learn what you consider spam.
Consider unsubscribing. See 'Is it safe to click on unsubscribe links in unwanted email (aka spam)?'
Be judicious when providing your email addresses on websites, at conferences, or on paper forms. Many times you can select/deselect options that will add you to additional distribution lists. Legitimate entities are more likely to honor your settings than unscrupulous ones.
Read the fine print or ask questions before providing your email address to understand whether your email address is likely to be shared and what your options are to opt-out.
I want to use a QR code in my marketing materials. Is there any guidance?
Short answer: it's not a good idea.
- There are risks to scanning QR codes. QR codes obscure the destination website, preventing visual inspection of the URL for authenticity checking. As a result, some of your audience may choose to not scan the QR code. (See "Are QR codes safe to scan?"). Make sure you have an alternate method of getting information to your audience.
- If you decide to use QR codes, make sure to print your QR code directly on your materials. Don't add a QR code sticker to the materials later because it encourages your audience to perform a more risky scan.
- Don't direct users to a login page. This also encourages your audience to engage in risky on-line behavior.
Are QR codes safe to scan?
Some of the security risks associated with scanning QR codes are:
- You could be redirected to a fake website for the purpose of collecting your access credentials.
- In an attempt to access promotional information, you may be lured into scanning a malicious QR code found on a website or on a poster at the entrance of a company, college or a shopping mall.
- A vulnerability in the reader app may grant an attacker full control over your smartphone, including contact information, email, text messaging and any piece of information stored or accessed on the smartphone.
To minimize these risks consider the following if you decide to scan a QR code:
- Use a QR code reader app that previews the web address before linking to the site. (e.g., Red Laser, Google Goggles and ScanLife).
- Avoid scanning a QR code from a source you don't know.
- Avoid scanning QR codes in the form of stickers. QR code stickers can be posted over a legitimate code, on the wall or on brochures to direct you to a malicious web site.
- Be cautious of a QR code that directs you to a login page. This could be a phishing scam, where you are directed to a fake website designed to harvest your login credentials.
- Install security protection software. A simple Google search will retrieve a list of security protection software and anti-virus software for various smartphones. After installing an anti-virus software, update and run your smartphone's anti-virus software regularly.
- Backup your mobile device data regularly. Backing up your phone's data including contact information, pictures, videos and other information ensures the availability of the data in the event of a mobile device loss, theft or data loss.
- Avoid storing sensitive information on your smartphone. In particular, university members with access to restricted data should avoid storing and handling restricted data on their mobile devices.