Unsure how email security works? First of all, email security refers to protecting your email accounts against unauthorized access. But why is it so important to make sure your account never gets compromised?
Email is the most popular delivery method for malware — malicious software like viruses and other types — which is usually sent in the form of infected links or attachments. Most hackers use email to get inside your system, wreak havoc on your device, and spread their malware to everyone else on your network or your contacts list.
You probably also use your email account as a verification method for other sensitive online transactions like online banking, which is just one more reason to secure it.
Businesses should be especially diligent about email security, because it’s an extremely common access point for hackers looking to steal company data or propagate ransomware.
What about phishing?
Email is also how cybercriminals send you annoying spam and dangerous phishing attempts. Phishing is a scam in which cybercriminals impersonate a business or personal contact to try to trick you into revealing personal information, which they can later use for identity theft or other crimes. Phishing is extremely common and can be disastrous for both individuals and companies — so it’s one of the most important reasons to secure your email account.
Email security best practices
By adopting the best practices described below and learning which security protocols are used to protect email, you’ll be on your way to securing your accounts in no time. Here are our top six tips and email security features to lock down your account like a fortress.
And it’s not just your account that needs to be secure, by the way — anyone on your network should follow our email security practices, because someone else can easily infect your device if their account gets compromised. Whether at home or at work, everyone should take appropriate precautions.
1. Always use common sense
One of the best ways to stay one step ahead of cybercriminals is to practice smart digital habits. That means having a healthy dose of skepticism. Received a weird looking email? Don’t open it! And definitely don’t click any links or attachments, because they’re likely to be malware. Got a message from a friend claiming they’re stuck in another country and need some cash to get home? Check directly with your friend rather than replying to the email — it’s almost certainly fake.
Be careful not to divulge highly sensitive information via email. That means never send your passwords, social security number, banking details, or business secrets via email. Sometimes hackers can be so crafty that all the common sense in the world won’t protect you. That’s where the rest of our tips come in.
2. Strengthen your passwords
Have you been using the same old password for years? If so, update it right away. Hackers can easily break into accounts with weak passwords by using brute force attacks. And after a data breach, it’s common to find thousands of usernames and passwords up for sale on the dark web.
That means a cybercriminal can grab a bunch of usernames and passwords and attempt credential recycling — trying to breach all your accounts once they get access to just one. For example, a hacker might check if your email password works on your online banking accounts. That’s why it’s so important to have unique passwords for all your accounts.
To get a really strong password, you can use a passphrase — a collection of words that you put together to make a long, strong password. See our instructions to create a passphrase.
Once you have a good password, don’t stop there. To prevent credential recycling, you should create a unique password for each of your online accounts. If that sounds like too many passwords to keep track of, try using a password manager.
3. Enable 2FA
Up your security even more by using two-factor authentication (2FA), also known as two-step verification. 2FA adds an additional layer of security by requiring you to submit a second piece of information when signing into your account. This could be a code that’s sent to you by SMS, a third-party app like Google Authenticator, your fingerprint, or another method. Most email providers offer 2FA, including Gmail, Microsoft, Yahoo!, and AOL.
Turning on 2FA varies a bit depending on which email provider you use, but here’s how to do it in Gmail:
Sign into your account.
Click the icon in the top right (it’ll be your picture or your initial) and then select Manage your Google Account.
Select Security on the left side, and then click on 2-Step Verification.
On the next screen, click Get Started.
Enter your password again to confirm that it’s really you making this change.
Google suggests using a prompt on your phone that you’ll tap to confirm it’s really you. You can also choose a security key, text message, or voice call for verification. Choose your desired option and hit Try it now. (If you aren’t yet using the Gmail app on your phone, you should download it now to make sure the rest of these steps work properly.)
Google will send a test prompt to your phone.
On your phone, a screen will pop up to verify that it’s you. Tap Yes.
You’re almost done — just add a backup option in case the prompt doesn’t work. You can choose SMS or voice call. Enter your number, then click Send.
Check your phone again — you’ll receive a Google verification code.
Return to your computer, enter the verification code sent to your phone, and hit Next.
Finally, tap Turn on.
You now have 2FA enabled! You should receive an email confirming that you have successfully applied the change.
4. Use spam filtering services and email security software
There are two types of spam filters you can use on your email account: your email provider’s built-in spam catcher and the stronger protection that you can get with a third-party service.
Your email provider’s spam filter should generally do a good job of filtering the most obvious types of spam so that you don’t see them in your inbox. But they can sometimes snag legitimate messages too. Most spam folders get deleted automatically every 30 days, so it’s a good idea to check your spam folder periodically to make sure you haven’t missed any legitimate messages.
5. Manage connected apps
Have you ever signed up for third-party apps by using the “sign in with email” feature? Those third-party apps and services likely still have access to your email, even if you haven’t used them in a long time. Take a look at which apps have access and revoke some if not all of these permissions.
The process for removing connected apps varies according to which email provider you use. Here, we’ll illustrate the steps using Gmail.
Sign into your account and open up Account Settings.
Select Security on the left side and find the box for connected apps. Click Manage third-party access.
You’ll see a list of all the apps that have access to some part of your account or data. Choose a specific app and then click Remove to revoke access.
When the confirmation box appears, click OK.
Go through your list of connected apps one by one and remove anything that you no longer need.
6. Avoid free Wi-Fi
Free public Wi-Fi networks, like those offered in coffee shops, airports, and elsewhere, are not secure. Hackers can breach unsecured networks like these extremely easily using man-in-the-middle attacks, DNS spoofing, and Wi-Fi sniffing. That means cybercriminals might be able to see everything you’re typing, including your email username and passwords, online banking details, and anything else you access while on the compromised network. That’s why it’s best to avoid free Wi-Fi altogether — unless you use a virtual private network (VPN) to securely encrypt your data and keep hackers out.
Business email security
Most people have different personal and company email accounts, and it’s good to keep them separated. That way, if either one gets compromised, the damage will be minimized. In fact, for that same reason, it’s a good idea to have more than one personal account. You can have one you use to sign up for services and mailing lists and another, more private account, that you use for sensitive data like bank account updates.
Many security breaches at large companies start with just one employee falling for a phishing scam… which leads to millions of people’s data being stolen. Follow the tips above to keep your company email as safe as your personal one. Review your company’s cybersecurity policy to see if they have additional requirements or suggestions to help secure business email.
Also be careful with setting an out-of-office (OOO) automated email — it could alert cybercriminals that your account isn’t being monitored for a period of time. And avoid publishing your colleagues’ emails or phone numbers in your OOO note. A good solution is to set different OOOs: one for internal contacts, and a separate one without potentially compromising information for external contacts.
Finally, make sure you’re using your company’s antivirus software. If you receive an email that may be a phishing scam, contact your IT team to see how to proceed.
If you’re a business owner, make sure you have strong, business-level email security software for your entire company. Invest time in cybersecurity education so all your employees stay safe and avoid compromising your company.
How to encrypt email
Another way to keep your email secure is to learn how to encrypt email. Encryption refers to encoding information so that it can’t be read by anyone who doesn’t have the decryption key. Anyone else who gets a peek into encrypted email would see only a jumbled mess of characters.
It’s possible to encrypt the connection between your machine and your email provider as well as to encrypt your emails themselves. Without encryption, hackers or other snoops can harvest your login credentials and the contents of your emails.
To encrypt your connection to the email service, enable Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption. That’s easy to do — just make sure your provider is using an HTTPS connection (rather than HTTP). If you check the address bar in your browser, you should see HTTPS and, depending on your browser, a padlock icon signaling that the connection is secure.
To get full end-to-end encryption — meaning the email is encrypted all the way from your computer to the email server and in transit to the recipient until they decrypt it — the person you’re emailing must also be using encryption. You can achieve end-to-end email encryption with Secure/Multipurpose Internet Mail Extensions (S/MIME). To do this, you need to install a security key on your computer and then give your public security key to your contacts; they’ll need to use this key to encrypt emails to you.
Preserving this level of security requires your contacts to uphold their end of the encryption, along with the use of third parties to issue the security certificate and/or third-party web browser add-ons to manage the process. End-to-end email encryption is mainly used when businesses need to protect intellectual property or other proprietary information — it’s generally beyond the scope of normal email users.
A more user-friendly way to use encryption is to use a virtual private network (VPN). A VPN will encrypt all of your internet traffic — email, searches, even apps and games — so hackers can’t spy on what you’re doing. This is most helpful when you’re using public Wi-Fi, as those types of unsecured networks can leave your online activities wide open.
Avoid email tracking software
There are generally two groups of people tracking your emails: marketers from legitimate businesses, especially companies that you’ve interacted with (like eshops you’ve ordered from), and spammers. No matter the source, you’ll want to block email tracking software.
Block email tracking from marketers
Did you know that every time you open a company’s marketing email, you’re almost certainly sending data back, even if you don’t actually respond to the email? Most marketers use email tracking software in the form of pixel tracking — tiny, one-pixel images embedded in the email that are invisible to the human eye, but can transmit valuable information back to the sender, including:
When you opened the email.
What device and operating system you opened it on.
How many times you looked at the email.
Which links in the email you clicked.
Your IP address.
Many businesses use dedicated email marketing software like MailChimp to help them track as much data as possible.
While marketers mainly use that information to identify trends — such as the percentage of recipients that open an email or the percentage that clicked a link — they can also learn about you personally. Advertisers may be able to use info they glean from your habits to build a profile of you, adjust pricing based on your habits or what content you engage with, and generally market to you more efficiently.
Luckily, there are a few easy ways to prevent email tracking.
Turn off automatic images in your email
Since pixel tracking relies on images, you can opt to have your email provider ask you before displaying external images. Note that this will disable all images, but you can easily click on the images you want to see (which will prevent the tracking pixel images from loading). The process will vary a bit depending on which email service you use, but here’s how to do it in Gmail:
Open up your Gmail account.
Click the Settings cog in the top-right corner and then select Settings from the drop-down menu.
Scroll down to Images and then select Ask before displaying external images.
Scroll down to the very bottom of the screen and click Save Changes. A box will pop up, and you’ll click to confirm.
That takes care of blocking images on your phone’s Gmail app as well. But if you use a third-party email client like Outlook or Apple’s Mail app, you’ll need to go into the settings and disable images there, too.
Use a tracker blocker
Curious who’s tracking you online? You can find out by using a browser extension. Several options exist that will block images — preventing trackers — and alert you when an email is attempting to collect info on you. Try PixelBlock (Chrome), Ugly Email (Chrome), Trocker (Chrome and Firefox), or another option to regain control over your inbox.
Advertisers can track you through more than just email — 70% of websites track their visitors around the web. And thousands of data brokers collect information on you and sell it to advertisers.
You can shut down all kinds of invasive tracking with a dedicated anti-tracking solution. AVG AntiTrack is a privacy tool that blocks tracking in one click. It also feeds fake data to trackers to put them off your scent and mask your true identity online.
Legitimate marketing emails may be annoying, but they’re generally not malicious. If you buy a product from any online retailer, you’ll likely end up on their email list. You may start receiving their regular newsletter, sales offers, product announcements, and other company or general updates. If these emails annoy you, you should be able to simply unsubscribe. Scroll down to the end of the email and look for the unsubscribe button, like this:
They may also offer options to reduce the frequency of emails, or prevent a certain type of email. Note: you should click unsubscribe only on a legitimate business’s emails. Interacting with spam or scam emails can put you at increased risk of future scams.
Block email tracking from spammers
If you’re receiving emails with adult content, obvious fake offers for a GrEaT SaLe!!!!, medical services, or anything else that seems sketchy, do not open the email. Simply delete it. If they contact you repeatedly, block the sender. Never click unsubscribe on a spam email. By engaging with spam, you’re alerting the spammer that they’ve identified a valid email address that leads to a real person: you. They’ll contact you even more frequently and try to hook you into one scam or another. Simply delete, block, and move on.
The most secure email providers
Wondering which email provider has the best security? The answer may surprise you. While Gmail commands about 30 to 40% of the market, it may not be the most secure email provider. In fact, the most secure solutions tend to be from lesser-known providers that design their tools with privacy and security in mind. Look for security-enhancing features such as:
End-to-end encryption (usually only if the sender and receiver are using the same encrypted email service)
Self-destructing emails that disappear after a specified time
Custom domain names
Stripped metadata (removing information about your device, timestamps, what browser you used, etc.)
If you require a high degree of security, consider a specially designed email service such as ProtonMail, MailHippo (secure enough to be HIPAA compliant), or Mailfence. But most email users do not require this level of security. And many people do not want to switch email providers, because they’d then have to send all of their contacts their new email address. We recommend first implementing the tips in this article with your current email account and evaluating your new level of security before jumping to a new provider.