Here’s a scenario many of us know: You’re staring at your inbox, worried about that odd-looking email, or scared that one wrong click might have exposed your data. Those fears aren’t unfounded. Phishing scams, ransomware attacks, and other threats are all too real.
But there’s good news: you don’t need a tech degree to understand email security. We’ll walk you through straightforward email security best practices to keep your emails safe and give you peace of mind.
Table of Contents
- Email Security Best Practices for Employees and End Users
- 1. Don’t Share Sensitive Information Over Email
- 2. Always Verify Unexpected Requests
- 3. Never Click on Suspicious Links
- 4. Use a Password Manager
- 5. Enable Two-Factor Authentication (2FA)
- 6. Install a Security Suite and Keep It Up-To-Date
- 7. Review Third-Party Permissions
- 8. Set Up Email Filters
- Email Attachment Security Best Practices
- Email Security Best Practices at Your Organization
- Corporate Email Security Best Practices
- How Do Hackers Compromise Your Email?
- Secure and Successful With Campaign Refinery
Email Security Best Practices for Employees and End Users
End users are the most vulnerable link in the email security chain. While technical measures and advanced software can provide layers of protection, it’s the everyday actions of employees and users that often determine the security outcome.
So, let’s see what email security best practices you should follow as a regular user.
1. Don’t Share Sensitive Information Over Email
Sharing sensitive information like your Social Security number, bank details, or personal secrets over email can expose you to risks. If someone intercepts or accesses your email, they can misuse this information.
If you need to share confidential information, use more secure methods, like a secure file-sharing platform. You can also encrypt your email to make sure only the recipient can read the message. And always double-check the recipient’s email address before sending.
2. Always Verify Unexpected Requests
Scammers often impersonate colleagues or superiors to deceive you. If you receive an unexpected email request, especially for money transfers or sensitive information, double-check its authenticity. Reach out to the person or organization directly using a known contact method, like a saved phone number, to confirm the request.
3. Never Click on Suspicious Links
Clicking links in suspicious emails can expose you to malware, fake sites, and other scams.
If an email feels weird or too good to be true, check the sender’s email address to make sure it’s from a trusted source. Look for any spelling mistakes, unusual characters, or anything that seems out of the ordinary in the email address or content.
Before clicking on a link in an email, hover your mouse over it. This won’t open the link but will display the actual URL at the bottom left corner of your screen. If you’re on your smartphone, pressing and holding on the link will often show a preview of the URL without actually opening it.
Another email security best practice is to manually type the URL into your browser instead of clicking on the link. This way, you won’t end up on a malicious site because of sneaky typos or misleading characters in the link.
4. Use a Password Manager
The average business employee juggles between 27 and 191 passwords. That’s an overwhelming number, and it’s impossible to remember them all. That’s why it’s tempting to resort to easy passwords or reuse the same one for multiple accounts. But using a weak password like “123456” or “password” is like leaving your front door wide open. In contrast, a strong password, such as “J4!pQ#m7&zR,” acts like a fortified security gate.
A password manager can be the most practical solution in this scenario. It generates strong, random passwords for every account and safely stores them. You won’t have to remember each one; you just need one master password to access them all.
Password managers aren’t without risks, though. If someone gains access to your master password, they can access all your stored passwords. Or an attacker might exploit a vulnerability in the password manager software — like what happened to LastPass, which was ironically caused by an employee picking an easy password. That said, despite its potential risks, a password manager is still far more secure than a weak or reused password.
If you decide to manually choose a non-random password for crucial accounts, make sure it has these characteristics:
- It’s not a common word or phrase.
- It’s long, ideally 12 characters or more.
- It combines uppercase and lowercase letters, numbers, and symbols.
- It doesn’t use easily guessable information, like your birthdate or name.
5. Enable Two-Factor Authentication (2FA)
Two-factor authentication, or 2FA for short, adds an additional layer of security to your account.
After entering your password, you get a text message on your phone with a code. You’ll need to enter this code to access your email. The idea is simple: even if someone guesses or steals your password, they can’t get in without the second piece of information, which only you have.
You can also configure your email to receive the code on an app like Google Authenticator or Microsoft Authenticator. These apps don’t rely on text messages, so they’re more secure even if someone intercepts your SMS or if you’re in an area with poor reception.
How to Set up 2FA in Gmail
To activate 2FA for your Gmail, go to your Account Center > Security > 2-Step Verification.
How to Set up 2FA in Outlook
And if you use Outlook, here’s what to do:
- Log in to your Microsoft Account.
- Navigate to Security.
- Click on Turn on two-step verification in the top right corner.
- Verify your identity.
- Click Manage two-step verification.
- Read the details and click Next.
- Select how you want to receive the second factor. If you choose “An app,” you need to install Microsoft Authenticator or click “Set up a different Authenticator app” and scan the QR code on your preferred app.
- Save your recovery code.
6. Install a Security Suite and Keep It Up-To-Date
Install reputable security software and set it to update automatically. When you turn on real-time protection, the program continuously monitors your activities. If you download or interact with something harmful from an email, it jumps into action immediately.
Plus, if you accidentally click on a harmful link, the program can stop the link from opening or warn you about the risk.
Make sure your email client, web browsers, and operating system are always up-to-date. Updates often contain security patches that fix vulnerabilities. Enable automatic updates in your software settings. Check for manual updates, too.
7. Review Third-Party Permissions
Over time, we grant access to various apps, from calendar apps to task managers and productivity tools. Every app linked to your email has a degree of access to your data. Some of these apps might become obsolete or untrustworthy. That’s why you have to review your third-party permissions every once in a while. Revoke access to any apps that you no longer use, recognize, or trust.
How to Review Permissions in Gmail
If you’re on Gmail, navigate to your Account Center > Security > Connections to third-party apps & services. Then select the app that you want to disconnect from your account and click “Delete all connections.” Confirm your choice, and you’re done.
8. Set Up Email Filters
Email filters are rules you set up to automatically sort, label, or even delete incoming emails based on your preferences. For example, you can have a filter that sends all emails with the word “discount” in the body directly to a “Coupons” folder.
Filters can also improve your security. You can automatically send emails with attachments to a separate folder or trash them. This reduces the risk of accidentally clicking on a harmful link or downloading a malicious attachment.
Here are a few ideas for email filters to enhance your security:
- Unknown senders: Filter emails from senders not in your contact list to a “Review” folder.
- Common scam terms: Filter emails with phrases often used in scams, like “urgent action required” or “you’ve received a payment/refund.”
- Foreign domains: Filter out emails coming from foreign domains if you don’t typically receive international emails.
How to Set Up Email Filters in Gmail
Creating filters in Gmail is straightforward:
- Click on the gear icon and select “All Settings.”
- Navigate to Filters and Blocked Addresses.
- Click “Create a new filter” at the bottom.
- Enter your criteria and click “Create filter.”
- Choose what happens to incoming emails that meet the criteria. Here’s a list of options Gmail gives you.
Email Attachment Security Best Practices
One in every four business emails carries an attached file. So, there’s no avoiding attachments. But you can approach them with caution.
Let’s go over a few cyber security email tips to handle attachments safely:
1. Don’t Download Unknown Attachments
Attachments can carry malware that infects your device as soon as you open the file. If you receive an unexpected attachment or one from an unfamiliar sender, don’t open it. When in doubt, verify with the sender through a separate communication channel.
Also, ignore attachments that prompt you to enable macros or run scripts since this tactic is common in malware distribution.
2. Scan Attachments Before Opening
Even if you trust the sender, scan all your attachments. Sometimes, even your close colleagues or friends might send you a harmful attachment unknowingly if their account gets compromised. Plus, cybercriminals can hide malware in seemingly harmless files, like documents, images, or PDFs. And just opening such a file can trigger the malware.
Fortunately, Gmail and other reputable email services have built-in virus scanners that automatically inspect all incoming emails. But if you have your own email infrastructure at your company, use a reliable antivirus solution to scan attachments and links in real-time.
3. Check File Extensions
Attackers often use double extensions, such as “.jpg.exe,” to trick you. At first glance, that file might seem like an image, but it’s actually an executable that can harm your computer. To stay safe, always look at the full name of the attachment. If you see two extensions, be extra cautious.
Email Security Best Practices at Your Organization
If you use your business domain for email communications, your security measures need to go beyond strong passwords and scanning attachments for malware. Here’s what we recommend as a starting point:
1. Implement Email Authentication Protocols
Email authentication protocols, like SPF and DKIM, are a way to confirm that an email genuinely originated from the domain that it claims. Implementing is critical for businesses because it helps prevent cybercriminals from pretending to be them. Imagine the damage to your brand if someone sent emails to customers or partners pretending to be you.
Email authentication adds specific records to your domain’s DNS. These records are sets of rules that tell other email servers how to verify emails coming from that domain. When an email server receives a message from a domain with email authentication, it verifies the incoming email against these rules. It then flags, or even rejects, the emails that don’t pass the inspection.
Implementing authentication also boosts your deliverability, making sure your outgoing emails only land in the recipients’ inboxes.
2. Conduct Security Awareness Training
Social engineering scams cost organizations tens of thousands of dollars each year. The damages caused by business email compromise (BEC) attacks have tripled since 2019, and the number of incidents has been on the rise. At the center of all these attacks are unaware employees who inadvertently become the weakest link.
That’s why you need security awareness training, a program to educate employees about the do’s and don’ts of internet security, including email security best practices. It usually involves a mix of lessons, real-world examples, and simulations.
You should conduct these training sessions regularly to make sure everyone stays sharp and updated on the latest security practices.
3. Limit Access to Sensitive Data
When fewer people have access to critical information, there’s a lower risk of breaches and leaks. You can implement access control mechanisms with defined roles and privileges to make sure everyone only interacts with the data they need. This way, even if end-user accounts become compromised, the attacker will have less freedom to wreak havoc on your infrastructure.
4. Backup Organizational Data
Despite your best efforts, there’s always a chance that attacks can slip through the cracks. So, you always need a contingency plan, especially with ransomware attacks becoming more prevalent in recent years. These are attacks where cybercriminals encrypt your data and ask for a ransom to unlock it. If you maintain a backup of your data, you won’t lose everything.
Make data backup a regular habit. Store backups in multiple locations, including offsite or cloud-based storage, to protect against physical damage. And test your backups periodically to confirm you can restore them quickly when necessary.
Corporate Email Security Best Practices
Corporate email security requires a methodical approach. You need a comprehensive strategy for technological safeguards, employee training, and regular monitoring and audits. Here are a few pointers:
1. Implement DMARC
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a sophisticated domain authentication protocol that unifies SPF and DKIM. Using its dual-check mechanism, recipients can confirm incoming emails are sent from a genuine IP address and haven’t been corrupted in transit. Plus, DMARC offers advanced reporting capabilities, such as email delivery performance.
Gmail and Yahoo have made domain authentication a requirement for mass email senders in 2024. But Campaign Refinery already had the necessary policies in place before these companies announced their new measures. All of our clients have to perform domain authentication when they sign up. We believe that being proactive in establishing security and trust is fundamental to email marketing success.
2. Establish a Comprehensive Email Security Policy
Every organization needs a set of rules and guidelines to guarantee everyone is on the same page about email security controls. This policy sets the standard for email practices, such as the kind of information that’s allowed to be exchanged over email and the procedures to follow if someone suspects a security breach.
Start by assessing your organization’s unique needs and risks. Consider the type of data you handle, the regulatory environment, and past security incidents. Communicate the policy to all employees and run training sessions if necessary.
3. Monitor Email Traffic
Corporate employees may send and receive thousands of emails every day. So, it’s not that difficult to hide malicious activities in that sea of emails. Email monitoring tools let you keep a watchful eye on email patterns and behaviors. As a result, you can spot and respond to potential threats before they escalate.
Here are a few behaviors and patterns to watch out for:
- Sudden spikes in email volume.
- Frequent emails to unfamiliar domains.
- Multiple failed login attempts.
- Unusual attachment types or sizes
How Do Hackers Compromise Your Email?
Unlike what many people think, hacking emails often doesn’t involve computer wizardry. According to Verizon, three out of every four successful attacks involve a human element — someone who makes a mistake or gets tricked. In more than 50 percent of the cases, attackers simply steal or guess passwords or trick someone into handing over the information.
The table below summarizes the most common ways attackers exploit email — and human — vulnerabilities:
|Technique||Key Characteristics||Examples||Potential Impact|
|Deception||Exploits human behavior and psychology||Phishing, spear phishing, business email compromise||Steal sensitive information, unauthorized access|
|Malware||Delivers harmful software to devices||Ransomware, drive-by downloads, malware distribution||Data loss, system compromise, financial loss|
|Impersonation||Impersonates trusted entities or individuals||Email spoofing, domain impersonation||Misled recipients, stolen data, fraud|
|Interception||Intercepts and alters email communications||Man-in-the-middle attacks||Data interception, altered communications|
Now, let’s explore each technique in more detail.
Deception tactics in email security don’t hinge on complex technical knowledge. Instead, they exploit human behavior through social engineering. Essentially, attackers manipulate individuals into revealing confidential information or performing specific actions. They play on emotions like trust, fear, or urgency to trick their targets.
For instance, you might receive an email promoting a huge discount on the newest Apple products. It urges you to click on a link to get the offer. It redirects you to a fake website that appears completely normal. You’ll add what you want to your cart and proceed to the payment page. But once you enter your credit card information, you’ll get an error. Behind the scenes, the hacker records all your information and makes purchases using your card.
Now, let’s consider the most common email attacks that use deception:
- Phishing attacks: These are deceptive bulk emails that masquerade as legitimate requests for sensitive information, like passwords or bank details.
- Spear phishing: This is a more targeted version of phishing. Here, the attacker tailors their deceptive email for a specific individual, often using personal information they find on social media or other online sources.
- Business Email Compromise (BEC): The attacker impersonates high-ranking executives or key employees. They might send emails instructing staff to transfer money to a fake vendor or share sensitive data.
Malware is any malicious software that harms or exploits a computer. Think of malware as the broad term for any malicious software. Viruses are a type of malware, but not all malware comes in the form of viruses.
Malware can have various sinister purposes. It can secretly record your keystrokes, giving attackers access to your passwords and other sensitive data. It can also steal information directly from your browser, like your browsing history or saved credit card details.
Some malware can spread to people you know. For example, once the malware infects your device, it might send emails to your contacts. And those emails will look like they came from you because they were sent from your account. So, the recipients are more likely to download attachments because they trust you.
Let’s go over a few other types of email attacks that involve malware:
- Ransomware: This type of malware locks your files using encryption and demands a ransom for their release. If you don’t pay, you might lose access to your files forever.
- Drive-by downloads: These attacks use emails with links to compromised websites. Once you click on the link, malware is automatically downloaded and installed on your device without your knowledge.
- Trojan horses: These are malware disguised as legitimate software. They sometimes spread through email attachments. They can steal data, disrupt your system, or create a backdoor for hackers.
With spoofing, attackers change the “From” field to make it appear as if the email is coming from a different source. They try to impersonate trusted entities, such as friends, superiors, or well-known organizations.
Here’s a straightforward example: You receive an email that seems to be from your company’s IT department. The email address looks legitimate, and the content asks you to click on a link to reset your password. But when you look closely, you notice the link redirects to a domain name that’s slightly different from your company’s. That’s a spoofed email.
So, isn’t email spoofing the same as phishing?
Email spoofing is a form of impersonation, meaning the attacker tries to gain your trust by pretending to be someone they’re not. But phishing uses psychology to trick you into providing sensitive information. An attacker might use both tactics to boost their chances of success.
Interception techniques, also called man-in-the-middle attacks, are among the attacks that need some technical expertise. The attacker captures the sender’s messages before they reach the recipient, reads them, and then forwards them to the recipient. They may even modify the messages or send a different one to the recipient.
Let’s simplify the scenario with an example.
Imagine you’re connected to a public Wi-Fi network at a cafe. You send your colleague an email with the bank account details for a payment to a vendor. An attacker on the same network, who has set up a way to intercept data, captures this email. They change the bank account details to their own and send the modified email to your colleague. When they read the email, they see a request to make a payment, and since the email seems to come from you, they transfer the money. But instead of going to the vendor, the money ends up in the attacker’s account.
Secure email communication methods, including TLS and SSL, can mitigate the risk in this situation. These are cryptographic protocols designed to encrypt the content of the email. So, even if an attacker intercepts the email, they can’t read or modify it without the decryption key.
Secure and Successful With Campaign Refinery
At Campaign Refinery, our priority is to make sure your emails land right where they should — in your subscribers’ inboxes. With our expert touch, we’ve catapulted clients to double, even triple, their usual metrics.
How do we do that?
By asking our clients to authenticate their domains right when they sign up and giving them automated tools to keep their email lists free from harmful addresses. Our policies and tools don’t just boost deliverability but also improve your email security.
Eager to join us? Check out our pricing and book a chat with us to get the ball rolling.