One’s inbox can be both a wonderful and a terrible place at the same time. Every new email arrives with unlimited potential; like an unexpected birthday package, you don’t know what you’ll receive until you open it. Sometimes you strike up a new friendship, other times you get tricked into deploying ransomware across your company network, drive your organisation out of business, get shunned by every employer hiring in your career field, and die alone in abject misery. At least … that’s what a great many email security companies would have you believe. “Ye only need ta click wrongly once, laddie-buck, and KABOOM! You’ll lose everything! Buy our appliance today or on your head be it, ya poor doomed wretch.”
I’m not entirely on board with that sales pitch. I do appreciate the potential danger associated with an unopened message, as every new email has the potential to be a phishing attack. Interacting with – or, worse, obeying the dictates of – a phishing attack can be financially and/or reputationally ruinous to be sure. But deadly? Probably not. Just because the letters “C” and “4” appear on a standard English keyboard doesn’t mean that sending “C-4” to someone in an email will cause their computer to explode. Phishing is a real threat, but let’s not oversell it.
That being said, unexpected emails from strangers can be delightful and safe, too. Case in point: I mentioned an obscure history book in my last column of January. A few days after my column posted, a representative of the publisher of that obscure history book – Savas Beatie of El Dorado Hills, California – contacted me to discuss some of their other works. They recommended another title, one was aimed precisely at my intersecting interests of military history, technology, and anthropology: Kenneth Rutherford’s 2020 hardback America’s Buried History: Landmines in the Civil War. I was intrigued enough by the rep’s pitch to purchase it on the spot. 
Had this “publisher’s representative” actually been a social engineer preying on my personal vulnerabilities, I likely would have been done for. My family and friends will all corroborate that I have a slight … problem … when it comes to books. Buying them, consuming them, lending them out to friends, writing them, forgetting that I have them and then repurchasing them again, discussing them with friends, etc.  Suggesting an interesting new book to me is far more likely to earn both my enthusiasm and my money than any business offer from a Nigerian Prince.
Still, no harm no foul this time. The publisher was real, the representative was sincere, and the book dust cover synopsis was accurate. My new book showed up in the post and I went about my day. One more interesting book to look forward to … added to a rather intimidating backlog of other interesting new books that I’ve also been looking forward to … some, for years.
Not all surprise emails are so benign, of course. Even the ones that resonate positively with our biases, anxieties, and interests can be harmful. Phishers constantly experiment with ingenious new ways to provoke us into reacting to a strong emotional prompt before we think to examine their message for the tell-tale clues that it’s a dirty, rotten trick. Criminals adore phishing as an attack methodology because it’s darned effective (and is relatively safe for the attacker).
I can’t recall how many classes I’ve taught on phishing defence throughout my career. The number has to be ridiculous by now. That said, there’s one minor aspect of phishing defence that I find many of my students get rather … well … defensive about.
Specifically, there’s a unique aspect of phishing attacks that make them far more dangerous than other types of wire fraud: when phish include an attached malware installer, the untriggered payload in the phish can remain effective for weeks, months, or years after it was delivered (if, that is, the host PC’s anti-virus software didn’t notice it). The unopened phish can lurk in the victim’s inbox, hiding in plain sight. It will stay safe until opened for as long as it takes. Then, one day, the victim finally takes notice of it, opens the message, and detonates the payload. KABOOM!
This is particularly important for people who keep a “messy inbox.” That is to say, people who allow their new messages to pile up, unread, potentially forever. I caught one of my supervisors once with over eight thousand unread messages. This fellow – let’s call him “Bob” – habitually left over half of his new email unread every day. Sometimes it was because he was overwhelmed; other times he ignored messages out of spite. There were bosses and stakeholders that he preferred to interact with face-to-face and rivals that he simply couldn’t stand. Somehow, Bob got away with this cavalier approach to managing his official correspondence for years. 
I found Bob’s approach abhorrent. I process my email at the start of every morning and at the end of every day. I delete the messages of no consequence, file the messages I might need later, and reduce my inbox to only those messages I need to act on. The sight of unread messages irritates me, as there might be some issue or lurking there that I might be required to act on immediately and failing to act in a timely fashion might constitute dereliction of duty.
I appreciate that the “right” approach to inbox management probably lies somewhere between Bob’s apathetic neglect and my obsessive over management. Even then, every company has its own standard for acceptable email conduct, and I don’t intend to take a side in such debates. What I do want to point out is that my approach nearly eliminates the probability of leaving un-exploded malware in my inbox, whereas Bob’s method is practically guaranteed to. It’s ignoring a preventable risk through neglect rather than investing the time required to mitigate it.
This is why I’ve long counselled my students to treat every unread message as a potential phish, no matter how old it might be. I appreciate that this advice will often fall on deaf ears. There are many compelling reasons to treat yesterday’s Internet traffic as inconsequential; “overtaken by events.” No longer of interest. I understand, really.
It’s just that phishing attacks aren’t like whisky: they don’t mellow with age. An unidentified ransomware installer might no longer be able to communicate with its C3 server after it encrypts your hard drive, but it can still encrypt your hard drive! Just like the century long “iron harvest” of World War I ordnance in France and Belgium, un-activated malware can remain a threat for years after it was first deployed. Think about how often you upgrade operating systems …
I implore everyone to take this lingering phishing threat seriously. Old emails are not inherently safe. Some phish payloads might lose their potency over time, but that’s not assured and should never be assumed. Stay vigilant.
That said, please don’t think I’m advising that you simply delete all of your old, unread messages. Even if your organisation doesn’t have a “records retention policy” (which you must obey if one exists), those old message might be crucial later as evidence of orders given, for solving business problems, etc. If you feel compelled to clear old messages out of your inbox to minimize the chances of accidentally opening one by mistake, then file them in an online folder, an offline .PST archive, or something. Don’t indiscriminately massacre content that you haven’t confirmed is safe to delete.
The rule to remember here is that unlike old unread books, no unread email is truly safe until and unless it’s been actively confirmed as safe. Before you delete it, file it, share it, save it, or act on what it says, be sure it’s not a phish. You can only make sure of that by inspecting it.
That’s enough ranting about phishing defence for one day. I’m going to put my laptop away and finish reading Mr. Rutherford Buried History. Unlike its timely subject matter, the book itself can’t possibly hurt me … unless, of course, that giant shelf in my den that I’ve been storing it on finally collapses and drops all of those other hardbacks on my head. Given how many new books I’ve stacked on there since the pandemic started, it wouldn’t surprise me … and I probably deserve it.
 I haven’t finished it yet, but I feel confident recommending it already. It triggers – pun intended – my love of sources, maps, and footnotes.
 I am fairly certain that I have four paperback copies of Walter Jon Williams’ Hardwired stashed around the house. If you haven’t read it, I recommend it as an important piece of cyberpunk genre history. Also, I can spare a copy.
 For other stories of this and other dysfunctional office cultures, I recommend my own book Office Cowboys: Cautionary Tales from the Cubicle Frontier.
Pop Culture Allusion: Curt Johnson and Robert Donner’s Microsoft Minesweeper, a videogame designed to teach multi-button mousing skills that was bundled with the OS/2 and Microsoft Windows 3 operating systems. Click wrong just one time, and you lose the game. Also, it has its own IMDB page.