If you’re reading this chances are you probably have an email address (how else would you subscribe to this publication?). In this guide, we’ll teach you everything you need to know about keeping your email safe and secure. We will cover the basics as well as some advanced rules to follow whenever you’re setting up and using your email service.
Introduction:
Your email is the center of all your activities, which is known in cybersecurity as a single point of failure (SPOF), meaning if your email is compromised, a hacker can more easily access all of the other accounts tied to it. As most online services usually require an email to use or to sign up to, and since a staggering 83% of users use the same password for multiple sites (please stop), your digital life becomes so much harder to manage once a data breach occurs (which will eventually happen).
Moreover, over 75% of targeted cyberattacks start with an email. Which is why it is crucial to practice good email security and hygiene by thinking of your email like a fortress and following the tips outlined in this article. So, let’s start from scratch shall we? Here are 10 steps to build your mighty email fortress..
Step 1: Lay the Foundation
Before even thinking of a cool email handle, like mostSecureMail@yahoo.com, you should start laying a good foundation by choosing a privacy-conscious email provider (and no, I’m not talking about Gmail), as privacy and security often go hand in hand.
Here’s a list of basic things to look for when choosing an email provider:
End-to-End Encryption: Ensure that the email provider offers strong end-to-end encryption. This means that only the sender and recipient can decrypt and read the messages.
Zero-access encryption: Make sure that emails are encrypted when they are at rest, as in stored on the email provider’s servers. This ensures that even if a malicious party gains access to the company systems, they can’t read any of the content of your emails. It also ensures that the company can’t use your emails for marketing purposes by scanning the content of your emails, sending it to third-parties, or/and using it to deliver targeted ads.
Two-Factor Authentication (2FA): Look for email providers that support 2FA. This adds an extra layer of security by requiring you to provide a second verification method, such as a code sent to your mobile device, in addition to your password when logging in.
Open Source: Some email providers are open source, meaning their code is available for public inspection. This transparency can help verify their security practices and reduce the risk of hidden vulnerabilities.
Privacy Policies: Carefully review the provider's privacy policy to understand how they handle your data. Look for providers with strict policies that respect user privacy and don't engage in excessive data collection or tracking.
Security Features: Assess the email provider's security features, such as spam and malware filters, and their effectiveness in reducing the risk of phishing attacks.
Ideology and goals: Search for companies that are committed to keeping your information safe, value their customers, and make it a priority to regularly improve their systems while staying updated on the latest cyber trends.
Step 2: Secure the Premises
After choosing a reputable email provider and a funny email handle, it’s time to secure your account by choosing a strong password. In our earlier posts, we talked about making strong and secure passwords. If you want to check them out, here they are:
If you don’t have that kind of time, here are some of the basic things to implement in a strong password:
Never use the same password twice.
Use random combinations of letters, numbers, and symbols that are not related to your personal information.
Use a combination of letters, numbers, and special characters that have no obvious connections or similarities.
Aim for at least 12 characters when creating a new password.
Don’t use common substitutions (like r3l!v3 instead of relive).
Save —and preferably create— these passwords in a good password manager, more on that in this post:
Step 3: Dig a Moat
If your fortress is in the middle of a wide, open area, it becomes easier for enemies to move their ground troops and get into your valuable castle because they have multiple ways to get in. This is where changing your privacy and security settings comes in.
Block Email Tracking: Privacy-respecting providers might offer an option to block email trackers1. Make sure to enable that option.
Disable Automatically Loading Images: Disabling auto-loading of images in your email helps protect your privacy by stopping tracking, reducing spam, and preventing malware. As pixel trackers2 can be (and are) sent in emails, images are sometimes used as spam and malware can be embedded into images. You can manually load trusted images when needed.
Enable Security Logs: Security-conscious email providers might offer security logs that keep track of all (successful and failed) attempts to access your email service. Keep that feature on to track any suspicious activities and unauthorized access to your email account. If you notice any suspicious activity, take immediate action, such as changing your password and reporting the incident to your email provider's support team.
Enable Account Activity Notifications: Some email providers offer notifications for unusual account activity. Enable these notifications to be alerted to any suspicious login attempts.
Disable Telemetry and Data Logging: Disable telemetry and data logging from your email provider’s settings if available.
Step 4: Construct a Drawbridge
You can't have a fortress without a drawbridge; that wouldn't look half as cool.
Two-Factor Authentication (2FA) operates as the first line of defense against unauthorized entry. It acts like a drawbridge, ensuring that the person who's entering really needs to be there.
2FA requires two separate and distinct authentication factors before granting access. These factors fall into three categories: (more on that in a dedicated future post)
Something you know
Something you have
Something you are
Make sure to set up 2FA in your email as well as in your other accounts, to greatly enhance your digital protection.
Step 5: Exclusively Grant Access to Trusted Personnel
Just as you wouldn't let anyone into a castle without checking, you shouldn't hand out your email to anyone who comes knocking. You don’t need to give your email to that health website so you can read the full article on why peanut butter is bad for you (is it really?). That’s what email aliasing3 is for! (will be covered in-depth in later posts)
Services like SimpleLogin or tempMail.org make that process easier than ever, you can set up aliases in a few clicks!
Carelessly giving out your email address has a number of drawbacks, most notably:
Spam and Unsolicited Emails: When you share your email address, it may end up on mailing lists that send you spam and unsolicited promotional emails. This can clutter your inbox and make it harder to find important messages.
Data Breaches: If the organization or service you provided your email address to experiences a data breach, your email address and associated data may be exposed to hackers. This can lead to further security risks.
Privacy Invasion: Your email address can be used to track your online activity and preferences. Advertisers and data brokers may use this information to send you targeted advertisements or sell your data to third parties.
Email Account Compromise: As already mentioned, If you use the same email address and password for multiple accounts, a breach of one account could lead to the compromise of others. This is especially concerning if you use your email for password recovery for other services.
Increases Susceptibility to Malware: Giving out your email might make you more susceptible to malware, if that email ends up on some hacker’s list.
Step 6: Assemble Guards and Watchmen
Once you’ve set up exclusive access to your fortress, you will need a good and trusted security team to make sure the premises are clear from bad actors that try to infiltrate your castle. These bad actors include:
Phishing: Email security threat involving deceptive messages, in which hackers try to pose as a legitimate company or person in order to steal sensitive information.
Malware: Email security threat delivering malicious software via email such as in attachments or links.
Spam: Unwanted and often harmful email content inundating inboxes.
Spoofing: Forging sender information to deceive recipients.
and many more…
Falling victim to an email scam can have significant consequences. You might lose your money, mess up your credit, or damage your financial reputation. Plus, your personal info, like your identity, could get stolen. These scams usually trick you into giving away your private info, and once the scammers have it, they can use it for various illicit purposes, such as unauthorized access to your accounts, making unauthorized transactions, or engaging in identity theft, which can lead to long-term financial and personal hardships
Step 7: Train your Guards and Watchmen
The value of a workforce lies in their training; untrained manpower is ineffective. Make sure to specifically train yourself and your guards to spot suspicious emails. You should be paying attention to things like:
Check the sender's email address:
Examine the sender's email address carefully. Hackers often use email addresses that mimic legitimate ones but may contain subtle misspellings or additional characters.
Be wary of generic email addresses or free email hosting services, as legitimate organizations usually use their domain-specific email addresses.
Example:
Legitimate email: support@yourbank.com
Hacker’s email: support@yourbank-login.com
Look for spelling and grammatical errors:
Phishing emails often contain spelling mistakes, grammatical errors, or awkward language. Legitimate organizations usually have professional communication standards.
Example:
Phishing email: "Dear customeer, your acount has been suspentend. Please click here to reslove the issue."
Legitimate email: "Dear customer, your account has been suspended. Please click here to resolve the issue."
Too Good to Be True
If an email offers something that seems too good to be true, such as free software, exclusive offers, or lottery winnings, it's likely a malware attempt.
Beware of urgent or threatening language:
Phishers often use scare tactics to pressure recipients into taking immediate action, such as claiming your account will be suspended or legal action will be taken unless you act quickly.
Legitimate organizations typically provide information in a more professional and less threatening manner.
Example:
Phishing email: "URGENT: Your PayPal account will be permanently locked unless you verify your information within 24 hours!"
Legitimate email: "Please review your recent PayPal transactions for accuracy."
Verify the request:
Contact the organization directly using their official contact information to confirm the email's authenticity if you receive a suspicious request, such as providing personal information, login credentials, or financial details. DO NOT use the link, phone number, or email address provided in the email, as these could be used to trick you into talking to the hackers instead of your real bank. Always use an external resource like a business card to acquire an organization’s information before calling or messaging them.
Enable spam filters:
Utilize your email provider's built-in spam filters to automatically detect and move phishing emails to your spam folder.
Report any spam emails that you may find in your inbox to your email provider so that they can better help you and the others around you protect themselves from spam.
Check for mismatched URLs:
Hover over links in the email without clicking on them to see the actual destination URL in the status bar or pop-up tooltip. Ensure that it matches the legitimate website of the organization acquired from an external source.
Never click on a link in an email, before being 100% sure the link is safe and leads to the intended source.
Example:
Phishing email link: https://www.yourbank-login.com (not the legitimate bank's URL)
Legitimate link: https://www.yourbank.com
Be cautious of unsolicited attachments:
A hacker’s email may contain malicious attachments. Avoid downloading or opening any attachments from unknown or untrusted sources.
Watch out for email headers:
Check the email's headers for inconsistencies or signs of spoofing. Some email clients allow you to view the email's raw source to inspect headers.
Antivirus Software
Keep your antivirus software up-to-date. It can help detect and quarantine malware emails and attachments.
Step 8: Remove Distractions
Distractions, like tiny cracks in a castle's walls, may seem insignificant at first, but when left unchecked, they can crumble the strongest kingdom from within.
Here are some tips for reducing distractions and spam in your inbox:
Use a Disposable Email Address: Consider using a disposable, aliased or secondary email address for online sign-ups, newsletters, and other non-essential communications. This way, your primary inbox remains relatively spam-free.
Enable Spam Filters: Most email providers offer spam filters that automatically move suspected spam to a separate folder. Ensure that your spam filter is enabled and periodically check the spam folder to ensure no legitimate emails were mistakenly classified as spam.
Be Cautious with Email Subscriptions: Be selective when subscribing to newsletters or online services. Only subscribe to reputable sources and review privacy policies to understand how your email address will be used.
Avoid Publicly Sharing Your Email Address: Avoid sharing your email address on public forums, social media profiles, or websites. Spammers often scrape the web for email addresses.
Unsubscribe from Unwanted Emails: If you receive emails from legitimate sources that you no longer wish to receive, use the unsubscribe link typically found at the bottom of the email. Be cautious when unsubscribing from unknown or suspicious sources, as it may confirm your email's validity to spammers.
Avoid Opening Suspicious Emails: Don't open emails from unknown senders or emails that look suspicious. Opening spam emails can sometimes confirm to spammers that your address is active.
Regularly Update Your Email Software: Ensure that your email software and operating system are up to date, as updates often include security enhancements that can help combat spam.
Step 9: Guard Your Secrets
Email was never meant to be a mass communication tool. It was created by Ray Tomlinson in the early 1970s to send messages between users on the ARPANET, an early precursor to the internet, primarily for local communication. This means that email is inherently insecure and should not be used for any sensitive communication. Do not share anything via email that you wouldn’t consider public knowledge.
For more advanced users, you can set up PGP4 to encrypt emails yourself using your own key.
Step 10: Hatch a good Escape Plan
Even the greatest fortresses will eventually fall. Make sure you have a carefully planned emergency strategy ready to help you retreat promptly when danger arises.
This is what to do in case all hell breaks loose and your email gets hacked:
Change Your Password:
Log in to your email account if you can still access it.
Change your password to a strong and unique one. Use a combination of upper and lower case letters, numbers, and special characters.
Avoid using easily guessable information like birthdays or common words.
Enable Two-Factor Authentication (2FA):
If not already enabled, set up two-factor authentication for your email account. This adds an extra layer of security by requiring a secondary code or verification method to access your account.
Check for Suspicious Activity:
Review your email account for any unusual or suspicious activities. Look for sent emails you didn't send or unfamiliar contacts in your address book.
Scan Your Computer for Malware:
Run a thorough malware scan on your computer using reputable antivirus software. Hackers may have gained access to your account through malware or keyloggers.
Review Account Recovery Options:
Verify that the recovery email address and phone number associated with your account are accurate and up-to-date.
Contact Your Email Service Provider:
Reach out to your email service provider's customer support for assistance.
Inform your email service provider about the suspected hack. They may be able to identify and track down the malicious activity on your account.
They may have specific procedures and tools to help you recover your account and investigate any unauthorized access.
Monitor Your Account:
Continuously monitor your email account for any further suspicious activities. Report them promptly to your email service provider.
Change Passwords on Other Accounts:
If you use the same password for other accounts (which you shouldn't), change those passwords as well to prevent hackers from accessing other services.
Alert Your Contacts:
Send a message to your contacts, friends, and colleagues from an alternative and secure communication channel (e.g., a phone call or a different email account).
Inform them that your email account may have been compromised, and they should be cautious about any emails or messages received from your hacked account.
Advise them not to click on any links, download attachments, or provide sensitive information in response to emails from your compromised account until you confirm that it's secure again.
— 🏰 That’s it! You’ve now built an ironclad fortress that is very hard to penetrate. Make sure to follow the tips outlined in this article, as well as to stay vigilant for newer threats and news around email security. It’s finally time for you to be the king of your inbox!
An email tracker is a tool or code used to monitor and gather information about what happens after you send an email. It can tell the sender when and if the recipient has opened the email, which links were clicked, and sometimes even the recipient's location. Email trackers are often used for marketing and analytics purposes, but they can also be a privacy concern as they can track your actions without your knowledge or consent.
An email pixel tracker, is a tiny, invisible image or code snippet embedded in an email. Its primary purpose is to track when and how someone interacts with the email.
Email aliasing, is a way to create alternative or temporary email addresses that forward emails to your main email inbox. This way you never truly reveal your email addresses to websites that ask for it.
PGP, which stands for "Pretty Good Privacy," is a system for securely sending and receiving messages or files over the internet using encryption. It's like putting your message or file inside a locked box before sending it, and only the person with the right key can unlock and read what's inside.