Deter phishing attacks by consolidating your contacts

If you forward your Web mail messages to your ISP mail account, you can delete all your Gmail, Outlook.com, and Yahoo Mail contacts and rely solely on your ISP account's address book.

Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Dennis O'Reilly
7 min read

Phishing e-mail with From address spoofed
A phishing e-mail with a familiar name in the From field was actually sent from an unknown address. Screenshot by Dennis O'Reilly/CNET

Once or twice a week a phishing scam eludes my mail services' filters and lands in one of my inboxes. Usually a familiar name appears in the From field and something like "Take a look" or "What do you think of this?" is in the Subject line. In the body of the message is a strange link. (Don't click it!)

In one of the phishing messages I received recently, my sister's name is listed in the From and "Reply to" fields, but when I hover over the name, two unknown addresses appear.

A couple of days ago I discovered strange "undeliverable" messages in my inbox and realized some of my Hotmail contacts received phishing e-mails purporting to be from that account. It's an ancient account I use infrequently and rarely send mail from. (I keep it around only to see how the conversion to Outlook.com is going.)

Since this account has no need for a contact list, I deleted the entries by selecting them one after the other and clicking Delete. (Note to Microsoft: Gmail and Yahoo Mail let you select all contacts with a single click.)

Fight phishers by eliminating duplicate contact lists

The contact-list hijacking got me thinking about the best way to prevent a recurrence. Because part of my job is testing e-mail, I have more accounts than I need, including three different Gmail accounts, two Outlook.com accounts (one the former Hotmail account), a Yahoo Mail account, and accounts with two different ISPs.

All the Web mail accounts had contact lists, although I had already deleted the addresses from Hotmail. In an attempt to reduce the overall risk, I ditched the duplicates and consolidated the contacts into a single address book. By removing the contact lists from the Web mail accounts and switching my primary address from Gmail to an ISP address, there would theoretically be only one point of access to the addresses.

In terms of functionality, there's not much difference between Web mail and ISP mail, although there are some trade-offs. For example, my ISP's mail system lacks Gmail's options for managing your inbox and contact list. On the other hand, the ISP mail window is ad-free.

(Some people claim Gmail and other Google services constitute a privacy threat, but most experts consider the risk minimal, especially compared to the privacy threats posed by such industries as banking and health care, not to mention the government.)

To convert the Gmail, Yahoo Mail, and Outlook.com accounts to receive-only, I forwarded their incoming mail to the ISP account. I use the ISP address to reply to most messages and to send new messages, so that's the only account that needs a contact list.

There's no guarantee the ISP account won't be hacked at some time, but reducing the number of occurrences of each contact narrows the target for phishers.

Step one: Export your contacts from the Web mail services
In a post from February 2012, I explained how to clean up contacts in Gmail or Outlook, and then import a single master contact list to an iPad, iPhone, or other address book.

With a little manual finessing, I managed to whittle my Gmail contacts from nearly 600 entries to only 260 contacts. I exported the edited list in all three of the formats Gmail supports: Gmail CSV, Outlook CSV, and vCard. (As a backup, I also exported the complete contact list in all three formats.)

To export your Gmail address book, open Contacts and click More > Export. Select the contacts you want to export, choose a format, and click Export.

Gmail options for exporting contacts
Export your master contact list from Gmail in one of three formats for importing to an ISP or other mail account. Screenshot by Dennis O'Reilly/CNET

To export contacts from Outlook.com, choose the People app and click Manage > Export. A CSV file named "WLMContacts" downloads automatically. Yahoo Mail lets you export your contacts in five different formats: Microsoft Outlook, Netscape/Thunderbird, Yahoo CSV, vCard, and VCF. Select the Contacts tab in the left pane, click Actions > Export all, enter the captcha, and choose an export format.

Step two: Delete your contacts from the Web mail service
You would think removing your contacts would be as easy as selecting all of them and pressing the Delete key. Unfortunately, some contacts don't know when to quit.

When I deleted the contacts from my Hotmail account, I first had to disconnect the Gmail account some of the contacts were associated with. To do so, return to the Mail app, click the gear icon in the top-right corner, and choose "More mail settings." Click "Your e-mail accounts" in the left column, select Details to the right of the account you want to disconnect, and click the Remove button.

Outlook.com connected-account settings
Deleting contacts in Hotmail/Outlook.com may require removing e-mail accounts you've connected to the Hotmail or Outlook.com address. Screenshot by Dennis O'Reilly/CNET

To prevent the names of your Outlook.com/Hotmail correspondents from appearing as you enter text in the To field, you have to change the advanced privacy setting: open your Outlook.com inbox, click the gear icon in the top-right corner, choose "More mail settings," and select "Advanced privacy settings" under Customizing Outlook. Change the option under "Auto-complete suggestions" to "Only suggest people in my contact list."

Outlook.com advanced privacy settings
Set Outlook.com to suggest only people in your contact list. Screenshot by Dennis O'Reilly/CNET

Deleting all the contacts from one of my Gmail accounts required that I first remove the names from my Google+ Circles. With that exception, you can remove Gmail contacts by choosing All in the top-left corner drop-down menu and then clicking More > Delete contacts. In Outlook.com, you have to select each contact manually and then choose Delete at the top of the contact list. To delete Yahoo Mail contacts, click "Select all" under the search box and select Delete.

By default, whenever you send someone a message in Gmail, their name is added to your Other Contacts list so the name will appear subsequently as an auto-complete option when typing an address in a new message. To prevent Gmail from automatically adding the names to your contacts, click the gear icon in the top-right corner of the Gmail window. Under the General tab, scroll to "Create contacts for auto-complete" and select "I'll add contacts myself."

Gmail settings for disabling automatic addition of new contacts
To block Gmail from adding the names of people you communicate with to the Other Contacts list, choose "I'll add contacts myself" in Gmail's settings. Screenshot by Dennis O'Reilly/CNET

Step three: Import the contact list to your ISP mail account
To import your Web mail contact file to your ISP mailbox, open the ISP account's address book and choose the import option. Browse to and select your contact-list file and click Import. Most ISPs support vCard and CSV formats for contact lists.

Contact-import settings for an ISP mail account
Select the contact-list file you exported from your Web mail account and click Import to add the addresses to your ISP mail account. Screenshot by Dennis O'Reilly/CNET

When I imported my Gmail contacts to my ISP mail account the vCard file converted with fewer errors than when I used the CSV version of the contacts file. Several entries failed to convert on the first try because they lacked an entry in the e-mail field.

Since I only need entries with names and e-mail addresses in my e-mail contact list, I could've done without the contacts that lacked an e-mail address. For testing purposes, I entered bogus addresses in the e-mail field of the Gmail contacts that lacked one and re-exported the list to ensure all the contacts made it into the ISP account's address book.

In a post from June 2011, I described how to merge your Gmail and iPhone contacts. That seemed like a good idea at the time, but now I keep the two contact lists separate.

I frequently read e-mail on my iPhone, but apart from occasional terse replies, I rarely send messages from the device, so my iPhone contacts don't need to include e-mail addresses. Conversely, I don't make phone calls from my computer, so my e-mail contact list doesn't necessarily have to provide phone numbers. But that's just me.

Step four: Forward messages from the Web mail service to your ISP account
Once you've set your Web mail account to forward new messages to your ISP mailbox you can receive and respond to the mail without having to sign into the Web mail system separately. You can choose either the ISP account or the Web mail account as the From address when replying.

To forward Gmail messages, go to your inbox, click the gear icon in the top-right corner, and choose Settings. Click Forwarding and POP/IMAP and select "Add a forwarding address" in the Forwarding drop-down menu. Enter the address you want to forward mail to and click Next. A verification e-mail is sent to that account. Click the link in that message to activate mail forwarding.

Return to the Gmail account's Forwarding settings and choose the address you just added in the drop-down box next to "Forward a copy of incoming mail to." Select whether you want to keep forwarded messages in your Gmail inbox or move them to Trash or another folder. Finally, click Save Changes.

Set your Outlook.com account to forward messages by opening the mailbox, selecting the gear icon in the top-right corner, and choosing "More mail settings." Click "Email forwarding" under "Manage your account," choose "Forward your mail to another email account," enter the forwarding address, check the option to remove forwarded messages from your inbox (if you wish), and click Save.

Outlook.com e-mail forwarding options
Forward mail from Outlook.com by adding the forwarding address and clicking Save. Screenshot by Dennis O'Reilly/CNET

Forwarding messages from a Yahoo Mail account requires upgrading to the Plus version of the service, which costs $20 a year.

Step five: Reply to some or all messages with the ISP mail address
When you receive mail in your ISP inbox that has been forwarded from the Web mail account, you can choose which address to use in the From and Reply-to fields when you respond. In fact, you have a choice of addresses to send outgoing message from: simply select your preferred From address in the field's drop-down menu. (Note that send options vary based on your ISP's mail system.)

"From" options when replying to forwarded mail
Select the address you want to use in the From field when responding to messages forwarded from a Web mail account. Screenshot by Dennis O'Reilly/CNET

Over time the people you correspond with will start using the new address, unless you use the Web mail address when you reply to messages rather than the ISP account name. There's no reason why you couldn't keep replying via the Web mail address and keep the ISP address "private."

Note that the ISP address isn't really hidden from your recipients. When they view the full header of the message it indicates the originating server and e-mail address, along with other source information.

Full header of messages sent from ISP account using a Web mail address in the From field
When you use the forwarded address in replies, the full header of the message indicates the server and e-mail address the message was sent from. Screenshot by Dennis O'Reilly/CNET

In a future post I'll explain the reasons why I'm (slowly) dropping the Gmail account I've been using nearly every day since the service was a private beta.