Even with all the latest advancements in social media platforms and messaging applications, most people still use email on a daily basis. And although many businesses have transitioned to real-time messaging platforms like Slack, it doesn’t look like email is going to die anytime soon. Instead, it looks like email is going to be around for a long time.
There are simply some messages that we don’t want to send in real time, and it looks a lot more professional than instant messaging services. At any rate, email has been around for a long time and it’s still widely used – and hackers know this.
In fact, hackers capitalize on this fact. However, as long as you follow some simple best practices, you can proactively avoid the vast majority of threats that use email as an attack medium (password attacks, phishing attacks, social engineering, and similar threats).
To make sure that you don’t get taken advantage of by strangers online, remember to take the following email security best practices to heart.
Use the Right Antivirus Application
If you thought all antivirus applications were more or less the same, think again. Antivirus programs frequently vary in features and quality, and if your current antivirus solution doesn’t include email protection, you might be in for a world of hurt. There are four main features I think everyone should have to combat email threats, though these features aren’t often found in the free versions.
The first feature you need is real-time protection because it can stop an email-borne threat dead in its tracks. Naturally, you’ll want to have some sort of email scanning and spam protection features as well. These features are more common in the mid to high market antivirus solutions. But lastly, you want to make sure you have phishing protection.
As we’ll discuss in the next section, you shouldn’t ever click on a link sent to you in an email. But we are humans, and sometimes we forget or make mistakes. Having phishing protection will help ensure that you don’t end up on a fake website after clicking on a bad link sent to your inbox.
In summary, look for an antivirus solution with the following features:
- Real-time protection
- Email scanning
- Spam protection
- Phishing protection
Never Follow Links Sent to Your Inbox
One of the best tools in your email protection tool belt is prevention. Once a virus has infected your computer or once you’ve given your login credentials to a phishing site, it’s tough work recovering from the attack. As they say, an ounce of prevention is worth a pound of cure, and every single email user should refrain from clicking on links sent to them in emails.
Instead, visit the website on your own. You can manually enter the domain name in Google to pull up the legitimate website or use bookmarks to visit sites on your own. For instance, always manually pull up Facebook instead of clicking on a questionable “Facebook link” in your email. Doing so will help you completely avoid the majority of phishing attempts.
Never Open Strange Email Attachments
Even though many email services have ways of scanning attachments and looking for virus signatures, you should never open an email attachment from an untrusted or unknown source. There’s no telling what’s inside the file. In fact, if you get an email with an attachment from a complete stranger, you should actually bet on the probability that it does contain a virus.
Even if you get an attachment from a colleague, make sure that you know the file extension. If you can, try to contact them on a messenger service first to verify they actually sent the file. It may seem too scrupulous, but look, sometimes email addresses are compromised. You don’t know if a hacker or virus compromised a friend’s address and is trying to spread to all of your friend’s contacts.
Send Encrypted Emails
There are tons of apps, utilities, plugins, add-ons, and browser extensions that are designed to encrypt your emails, both for storage and for transit. One such email encryption tool is called CryptUp, but I encourage you to browse through the different solutions.
Some email protocols do offer transport encryption, but you should take matters into your own hands. There is only one drawback, however. The recipient of your email must also have the same app installed, and he/she must also know the decryption key.
Don’t Give Your Username and Passwords to People You Don’t Know
It’s true what they say – there’s a sucker born every minute. Even though this scam has been going around for decades now, some people still respond to social engineering attacks. Make sure you don’t ever give your username and password to someone who requests it in an email.
Sometimes the attacker will pose as a member of tech support for your company, a service you use, or some person of authority. Unless you have verified the person’s identity and verified the name of their account, don’t offer your usernames and passwords to third parties.
Don’t Email Username and Password Pairs Together
Sometimes through correspondence with trusted colleagues and even family members, people run across a scenario where they need to provide someone else with login credentials. The best way to provide someone with these details is to tell them in person. But if they live miles away, that may not be possible or simply be an inconvenience.
However tempting it may be to send them the credentials via email, don’t do it. Instead, use two different communications channels. For example, send the username via text message (preferably encrypted text message). Then, send the password via email without any other text in the email that indicates its a password.
I know this may sound over the top, but plenty of IT departments use this method to securely send login credentials.
Some best practices and security policies prohibit sending username and password pairs in a single email for good reason. If the email was stolen, intercepted, sent to the wrong person, sent to a CC or BCC, or if someone was simply standing over the recipient’s shoulder, the account would
be compromised.
Use a Password Manager and Follow Password Best Practices
I always say that everyone in their right mind should be using some sort of password manager. They come in a variety of packages, some as stand-alone applications and some as paid subscriptions for cloud service. If you’re not using one already, then check out KeePass’s free version.
I think the real benefit to these types of applications is their ability to securely store and generate incredibly complex passwords.
If you use the same password for every account, a hacker could hack into all your personal accounts in a matter of seconds. That’s why it’s crucial to not only use different passwords for different logins and accounts but to also change those passwords on a regular basis. I don’t know about the rest of you, but I have a hard time memorizing extremely complex passwords, such as the following:
- F_hNV*%n=s46yaep
The previous password is highly complex and extremely strong. These types of passwords are not easily hacked with brute force attacks, and most hackers wouldn’t be able to quickly memorize it if they saw it in plain text, but they’re a pain to type in manually. For that reason, it’s more advantageous and secure to just copy and paste it into the login form.
Remember, it’s safer to input your credentials via a password manager than to cache them in your browser. After all, what would happen if someone else was able to access your computer or mobile device without your consent? In an instant, they’d not only have access to your email but all other accounts that are cached in your web browser too.
Use a “Catch-All” Email Account for Subscriptions and Gated Content
Most marketing lists simply start out as a way for a business to send promotional offers to their customers. But sometimes websites get hacked, and their list of email addresses are stolen. Other times, shady websites actually sell their list of email addresses to spammers, hackers, and digital thugs.
For this reason, it’s advisable to use a dummy email account that solely exists as a net to catch all that nasty spam. Never open the email in this dummy account, since it’s just a way to access gated content or register for sites. Also, make sure the name of this email address in no way can be used to identify you, so don’t include your name in the address.
Then, if your email address ends up on a hacker’s attack list or a spammer’s list, your real address won’t be emailed. That way you’ll be much less likely to click on any phishing links.
Consider Using Anonymous Email for Certain Registration and Verification Purposes
If you’re like most people, you hate giving out your telephone number and email address, especially when you know that it’s just going to be used to send marketing emails. While at the checkout counter of many retailers, I’ve always wondered why they claimed they “needed” my email address to proceed with the checkout.
The good news is that there are completely anonymous email services, and many of them are free. For instance, just go to HMA VPN’s website to check out its free anonymous email service. You can find others as well, but HMA is the one I trust the most since it is owned by AVG.
Final Thoughts
Email may be part of our daily lives, but it isn’t inherently safe. Even with antivirus software, some phishing attempts and malicious files may slip through the cracks. But if you follow these best practices, you can drastically reduce the chance of being victimized to mere fractions of fractions of a percent. Your inbox is a dangerous place, so take these tips to heart to stay safe online.