Most modern email services provide a decent filtering algorithm that sorts out all incoming spam and leaves just the ‘real’ emails in your inbox. This is a heartwarming thought: no more need to worry about a Nigerian prince soliciting you for money.
With the variety of instant messaging platforms, we hardly ever use email as a means of casual communication. But as the nature of email usage changed, so did the nature of email threats. Most of our email communication today is work-related. Integrated web services like Google’s G-Suite, for example, centre all communications within your business around the email account: it is where you get event notifications, calendar updates, and file sharing invitations. Needless to say that a compromised email account essentially exposes a whole multitude of sensitive business data.
On a personal level, even if you do not write 1000-word-long emails to your friends or family anymore, your emails can reconstruct a story of your movements (airplane tickets and travel plans), purchase habits (shipment notifications and promotional offers), professional life (job applications and work schedule) and everyday interests (newsletter subscriptions) – information that you do not want to expose to strangers.
While there are more digital dangers outside of your email account, taking necessary security precautions is important to avoid threats to your personal or business data. In fact, email is still one of the most common entry points for hackers who want to gain access to your login credentials, other personal data or the entire network.
Phishing attacks are based on social engineering: a well-written phishing email will be able to bypass spam filters and make you click a link or download an attachment that contains malware. Poorly written phishing emails usually have bad grammar, misspellings, multiple exclamation marks and sad attempts to impersonate an important person or organisation allegedly trying to get in touch with you. Professionally written spear-phishing emails (emails targeting one person specifically) usually contain information related to the target’s interests, prompting them to click a link to an article, a video, or a document, that actually leads to malware download, or harvests personal data.
Aside from being able to identify phishing emails and not falling for them, there are proactive measures every responsible person should take for sake of their digital data integrity.
Send emails over a secure encrypted network
Great VPN services are not necessarily free, but they will make sure your network and all communications are encrypted and hidden from the prying eyes of the ISP. In addition to VPN, PGP software is a good idea if you handle sensitive information in your correspondence and want to make sure it will only reach the eyes of the recipient.
Use disposable email addresses to register on platforms where email is non-essential for user experience
Most public WiFi networks require you to register with your email address and often send you a link to confirm the registration before you can access the network. The most innocent reason for this practice is because they want to spam you with newsletters in the future. In some countries, however, public network providers are required to collect user data, for example, by security services. If you are reluctant to give your email to your local Starbucks, platforms like MailDrop allow you to create an instant disposable email account that can be used to register on networks and websites that require a one-off email authentication.
Use strong email passwords and 2-factor authentication
Password that is not ‘password’ or ‘123456’ is good, but you can do better. One of the most secure ways to create a strong password is through Diceware method because diceware passphrase is relatively easy to remember for a human and extremely difficult to crack for a computer (unlike commonly suggested uppercase + lowercase + numeric + special character combination). Two-factor authentication is an additional level of protection for your email: in case if your password does get exposed, a login attempt will still need to be verified through a second step (like a text message).
Check if your email address and login credentials linked to it have been compromised in a data leak
Every now and then, a major company gets hacked and reports the loss of thousands or even millions of user accounts, that eventually wash up online in open access or on the dark web. In 2013, this happened with Yahoo, and the company is still paying for their failure to disclose the data breach where three billion accounts have been hacked. As a user, the best you can do is to change your email password on a regular basis and to check if your email has been in a data breach (you can do this, for example, on haveibeenpwned.com)
As a general rule to keep your account safe, do not react to messages from your bank, insurance company, Microsoft or Apple urging you to take immediate action and provide your login credentials and other personal data via email. As much as we’d like to believe that we are too smart to fall for an email scam, being vigilant is the only solid universal advice that will ensure your email security.