Phishing

What is phishing?

A phishing attack is when a criminal sends you an email claiming to be from Fastmail or another company you have a relationship with. The emails are designed to look legitimate, and they attempt to trick you into sharing your login details or installing malware on your computer.

A common scam for phishing emails claiming to be from Fastmail is to say that you have "pending emails" that have been placed "on hold", or to warn that your "account will be closed" unless you click a link in the email. The link then takes you to a site that looks a lot like the real Fastmail website, but is not the real Fastmail website. If you try to log in at this link, your password is now known to the attacker. Fastmail never places emails on hold and will always deliver emails as soon as possible without any interaction required.

How to recognize phishing emails

There are a number of traits you can look for to help recognize phishing emails:

Links to login pages. If you click a link in an email and it takes you to a login page, stop! Carefully check that the URL in the address bar of your browser is what you expect it to be, even if the page itself looks identical to the normal website. It is very easy for an attacker to replicate the look and contents of a website.

If you click a link and it looks like you're at the Fastmail homepage, stop and look at the URL. Does it show a padlock and start with https://www.fastmail.com? If not, you are about to send your password to an attacker. Close the tab or window, then report the email as phishing (see the section How do I report phishing emails? for details).

Spelling and bad grammar. Messages from reputable companies, including Fastmail, generally will be carefully checked by copy editors to ensure the message is professional and error-free. Be wary of emails with excessive spelling mistakes or grammatical errors.

Pending messages or urgent warnings. Beware of urgent warnings such as "your account will be closed" or "pending messages". If in doubt, contact the supposed sender of the message through another channel to verify the message's authenticity. (There is an easy way to verify legitimate messages from Fastmail — see the section How do I know an email is really from Fastmail? for details.)

How do I report phishing emails?

If you do spot a phishing email, you can report it in the Fastmail web interface by clicking the More button at the top right of the email, then clicking Report Phishing, as shown below.

Report Phishing menu item highlighted

If enough users report an email as phishing, this will help prevent other users from receiving messages from the attacker.

How do I know an email is really from Fastmail?

All legitimate emails from Fastmail sent after October 15, 2014 will have a white check mark in a green circle displayed next to the sender's name in both the inbox and on the message itself. Note: The green check mark will only display our web interface and our mobile apps. It will not appear in other email clients.

The check mark will look exactly like this in the mailbox:

The green tick visible in the inbox

And like this on the message:

The green tick after opening email

If you are using an email client and you're not sure if a message is really from Fastmail, log in to our web interface and look for the green check mark on the suspicious message.

What else can I do to stay secure?

Set up two-step verification. Using two-step verification means an attacker can't log in to your account using just your password. Unless they also have access to your verification device, they will not be able to access your account.

Use a password manager. A password manager saves your password so you don't have to remember it, which makes it easier to use a different password for every site. This is helpful because password reuse is the second most common way attackers manage to steal credentials to a Fastmail account. The password manager can even generate a complicated password for you so it's completely unguessable. Most importantly, a password manager will not be fooled by a website pretending to be Fastmail or any other site. If the URL is different, it will not fill in the password. We recommend 1Password, LastPass or KeePass.

Double check the site address before typing your password. Try to get into the habit of always looking at the address bar before you type in your password. If it doesn't start with https://www.fastmail.com/, you're not at Fastmail, and you should close the browser window immediately.

Never reuse your Fastmail password at another service. Your email is the key to your digital life. Almost every web service you use, such as Amazon, Facebook, or Twitter, allows you to reset their password by sending a link to your email address. It’s vitally important to keep your email password secure, as it provides access to everything else! Other sites often don’t have the same high security measures as Fastmail, which makes them much easier for criminals to break in to. If they get your email address and the same password that you use for Fastmail, the attacker can then access your email account and get into everything else you use online. Always use a unique password for Fastmail that you don’t use elsewhere.

What happens if I am victim to a phishing scam?

If you think you may have given your username and password to a phishing site, the most important thing to do is change your password immediately. Once this has been done, check your log of recent logins to see if the attacker has used your password to gain access to your account.

If there are no suspicious logins, your account is safe now that you have changed your password. Be sure to never reuse the password you gave the attacker.

If there are suspicious logins showing that the attacker has logged in, changing your password should cut off any access they have to your Fastmail. Be careful to check other important sites you use to make sure they have not had their password reset via email. If in doubt, change your other passwords as well.

If you are victim to a phishing scam without realizing, it is likely that the attacker will start using your account to send spam. In most cases, we will detect this and lock the account. If this happens, the next time you try to log in, you will get a message telling you that the account is locked. You will need to verify your identity using our account recovery tool to unlock the account again.