Cybersecurity 101

3 minute read


An administrator of a large organization that I do some work for recently sent an email trying to find someone who’d made an inappropriate purchase. The email was CC-ed to over 190 people. So I thought I’d write today about some simple things that you can do with respect to email.

Why not send out an email like that?

When an email with lots of people in the CC line (or even in the TO line) goes out, everyone receiving the email can see who was supposed to receive it. The problem with that is that it doesn’t protect the privacy of the people on the list.

In the case that I refer to in the opening, the email was effectively accusing everyone on the list of mis-using funds. In fact, only one person on the list probably misused the funds, but the email effectively accused everyone of it. If, instead, the sender had put all the potential mis-users in the BCC list and just kept the CC and TO lines for people in the administration office looking for the culprit, the email would seem more personal and, perhaps, people might actually check if they are the problem. With so many other people to blame, I suspect the culprit just ignored the rather large email.

The US Cyber and Infrastructure Security Agency (CISA) recommends the use of BCC in such circumstances.

Reply-all bunfights

In addition to the privacy issue, unthinking email users (most of them) have a habit of hitting Reply All instead of just Reply To Sender. As a result, if someone responds to the CC version of the email, everyone in the TO and CC lines will receive the response.

In the BCC case, only those explicitly called out in the TO and CC lines will be responded to. Not the 190+ others who have little to no interest in the response.

Oh, and another pet peeve of mine: when someone sends out an all-points-bulletin email like this do not reply-all with a one word reply :


It is a waste of everyone’s time. And it adds to our carbon footprint (thanks to Vivien Stewart for the link).

It’s not as big an issue now, but it used to be that such a thing would cause computer systems to fall over due to the large amount of email traffic they generated.

What else can you do to make email more secure?

One mechanism that has been used for many years to track people on the web and via email is to insert a “tracking pixel” into an email. The link is to Facebook’s implementation of it, but many people do this.

I used HubSpot for a while. It’s a contact tracking tool used for sales. Whenever you send an email using HubSpot, it inserts a new tracking pixel so that you can tell when someone has read your email.

I’ve stopped using it now, but I still occasionally get notifications that someone has opened an email that I sent them over a year ago!

One way to stop this is to find the setting on your email tool and set the “Automatically download pictures from the internet” option to Never. The MacOS Outlook tool has it, and a screenshot is below.