11 ways to secure your email account
When we think of securing ourselves online, we immediately think of VPNs, firewalls, anti-virus, or (as website owners), SSL Certificates. But how often do we think of email security — or, more to the point, what we can do to enhance email safety for business?
A global recession has triggered an uptick in scams, perhaps due to a combination of financial desperation and new opportunities to prey upon others who are themselves more desperate. Many such scams can start with a bogus email.
Emails scams are nothing new. Perhaps it’s because when we’re inside our inbox, we feel a virtual bubble of safety, looking at a mixture of communications from friends, familiar businesses, and references to that cinema trip we took. Hackers take advantage of this bubble by using a whole arsenal of deception — whether it’s a sender address that looks suspiciously like the one you’re used to (spoofing), or a convincing message masquerading as being from a trusted contact. Sometimes it can simply be an irresistible form of clickbait.
While many attacks are best described as psychological, choosing the right email provider can help defend you against them. You might consider working them into a secure email policy for your business that’s full of email security tips for employees.
11 email safety tips
Review the following tips. There could be several things you could do to improve your business and personal email security.
1. Make sure that you go with a reliable and established email provider
Not every email provider is equal. This especially goes for ones that offer their services for free. As the saying goes, if you don’t pay for a product, you are the product. In this case, it’s usually your data being sold to advertisers who can then target you based on your email content or your contact list. Also, you’re almost certainly subjected to an endless tirade of ads — especially if you’re using an online mailbox rather than redirecting to Outlook (or other desktop software).
If we look at it objectively for a moment, many costs are associated with running an email server. Servers require technicians to maintain them, electricity to power them, and of course, they must be purchased in the first place. While you are only using a fraction of these resources as an individual, consider that nearly everyone uses at least one free email service. Most of us have probably accumulated more than one over time. They’re not run by charities — they’re businesses, looking for ways to monetize you. Even if email is a loss leader, they will try to sell you another of their products or services — like cloud drive.
There are also risks associated with smaller paid email clients. They may try to hook you in with low prices, but you need to ask whether they have the resources to maintain the constant updates required to keep you, and your account, safe.
Ideally, your email will be hosted with a provider that will never sell your data and maintains server and account security.
2. Double-check that your email provider has a powerful anti-spam system and that it’s enabled for your email account
Most larger email providers feature anti-spam protection. It can work in several ways, some boasting automated features that filter rogue emails before they even reach your inbox (by putting them straight in a spam folder or deleting them).
More advanced filters allow for detailed customization, so you can filter a specific word or phrase, block senders, and stipulate a list of safe senders for emails that might mistakenly get caught in filters.
By correctly configuring your email filters, you dramatically lessen the risk of falling for a scam, simply because you will not be subjected to their lures. If you choose Namecheap’s Private Email, for example, it comes with Jellyfish anti-spam filter as standard. Jellyfish filters 8.5 million emails every day and neutralizes the threats from over 1.5 million spam emails protecting customers from attacks.
3. Look for clues
You play a big role in your own security. Your vigilance is key to spotting irregularities in emails. As we mentioned, fraudsters use several common strategies to trick you. Here’s a deeper dive into the most common scams:
- Email address: There are a variety of tricks used here. Everything from spoofing a real email address, to using something that looks like it could be a genuine subdivision of a company: firstname.lastname@example.org, or even using a domain that looks the same at a glance: narnecheap.com. A good way to verify if an email is legitimate (if you’re ever unsure) is by looking up the domain on any Whois lookup service. Check when the domain was registered and if the date correlates with when the company was established. If you still aren’t sure, you could always reply using the official contact page of the business in question — to double-check the authenticity of an email.
- Company Name: Company names are even easier to spoof. You’ll notice similar tricks to the email addresses above (eg: Elↄay), but here, it’s even simpler for scammers to either literally write the name of who they are imitating, or simply change something small: (eg: AMAZON, Amazon US Ltd). Lower-effort scammers will only change the name, and the email will still be something like email@example.com.
- Content: Arguably, spoofed content is the easiest to spot. Does the email look professional, and display correctly? Often, spam will replicate the house style of a real company (often convincingly), but some things will be slightly off. Look for spelling mistakes, and typographic/layout issues — but mostly, ask yourself if the real company would put out an email of this quality, or with this message. Most companies spend large amounts of time and money checking and double-checking emails to ensure they look good on every device and platform. Content is by no means the only indicator, though, as some spoofers are getting incredibly good at imitation.
4. Always scan email attachments
Scanning attachments before you open them with anti-virus software ensures documents are clean. Even if it’s from a person or account you trust, it may be that they have used some of the tricks we outlined above to pose as a friend or business, or it could even be something a trusted sender has attached by mistake, or without realizing it contained a virus when they were sent it.
5. Never log in to a website from an email link
It’s convenient to log in from email. It saves navigating to the website, and most businesses will include links to improve engagement. But cybercriminals know this and use it to their advantage. Their links will lead to replica websites for the business they are purporting to be (like the above examples), but when you enter your login details, they will steal them and use them on the original website — hence why scammers frequently pretend to be from your bank.
It’s always better to spend a little extra time and navigate to the official website in a separate tab.
6. Never access emails from public Wi-Fi
Public Wi-Fi, the kind common in coffee shops and hotel rooms, is usually not encrypted. This means your data can be intercepted and viewed by others using the same connection — which could be a lot of people! For this reason, it’s better never to use public Wi-Fi for any sensitive personal data (including emails), but if you need to do this, use a VPN. A VPN, or Virtual Private Network, will encrypt your data so anyone snooping can’t gain access. Namecheap’s FastVPN is an excellent security solution if you work remotely.
7. Use aliases to protect your email address
Create aliases (alternative email addresses linked to the same account) to use for online subscriptions (to newsletters, mailing lists, website accounts, etc) and anyone outside your ‘circle of trust.’ Most website logins require a username and password. Most often, the username is an email address. By using multiple emails, you can spread the risk of key information that makes up half of your login data to most sites.
You could also have at least one email address shared exclusively with close contacts that you don’t use anywhere else. You can then be more confident that emails to this address will be from a set number of people, and when they aren’t, you will notice immediately.
You can also use ‘disposable’ email accounts for cases when you know you only need an address for one specific thing that won’t happen again. This might be locked content you want to read without imparting your personal information. The difference between a regular (permanent) email address is that disposable mail (also known as temp mail, temporary mail, or 10-minute mail) is expiry – usually from a few minutes up to a few days, and they are just for receiving emails.
8. Think twice before hitting the Unsubscribe button
While clicking the Unsubscribe button might look like the most obvious way to stop unwanted emails from clogging up your Inbox, you’re actually putting yourself at risk of being hooked by cybercriminals. Why? Because if it’s a dodgy email, ‘unsubscribe’ is just another cunning way for spammers to trick you into giving away your precious information. The sort of people who want to steal from you won’t care about creating a boobytrapped unsubscribe button. It’s simply another way they can maximize their revenue from victims.
9. Use a strong password and change it regularly
Almost every account requires a strong password these days, and email accounts are no exception. There are certain tricks you can use to make passwords memorable while making them almost impossible to hack — like using a passphrase instead of a password.
Of course, it goes without saying that a large part of password security is keeping it updated regularly. Learn more about password security.
10. Enable 2FA and block IMAP/SMTP connection
Two-factor authentication (2FA) is becoming a requirement for many accounts and is offered as a choice on many more besides. Authentication can be achieved in several ways, but it essentially requires a secondary device or app to validate a login. This is because the secondary device or app is unlikely to be accessible to someone remotely attempting to break into your account.
It’s worth noting that while 2FA can be activated on web application-based email, the nature of IMAP and SMTP (adding an email to clients like Outlook and Thunderbird) allows a workaround where 2FA will not be encountered.
With Namecheap’s Private Email, we have this covered. If you’d like to block IMAP and SMTP connections for your account, you can simply get in touch with our customer support.
11. Use Application Passwords
Some email accounts support Application Passwords. These generate a password, especially for use by an application, to restrict the information the app is allowed to access. For example, you may want to link your favorite calendar app to sync with your email calendar. You might create an Application Password, so the app only has access to the calendar information and not your email content.
Enjoy safer email
We hope our top eleven tips will help reassure you that your email is as safe as it can be. If we’ve missed any email security best practices, let us know in the comments!
Don’t forget: Namecheap’s Private Email is one of the most reliable platforms around, with security at its heart.