Emails are among the most common attack vectors used by hackers to deliver malicious files or to collect sensitive information. Most attackers typically begin with an email that either contains a malicious file or a phishing message that coerces their target into sharing sensitive information like their email account password, which attackers then exploit.
In my previous article, I discussed the various ways to identify phishing emails. However, spotting phishing emails is only one method of protecting yourself and your organization from email-based attacks. There are several other practices that can ensure your inbox is not used as an attack vector. Let’s explore these further in this article.
Best Practices for Email Security
1. Use of strong, unique passwords
Using a strong password is one of the most underrated security best practices. Having a strong password for your email will significantly make it harder for brute-force attacks to compromise your email. A strong password typically has at least 8 to 12 characters, including a mix of upper and lower-case letters, numbers, and special characters.
Avoid using easily obtainable information like birthdays or simple words in your passwords. Also, each account should have its own unique password to prevent a breach on one platform from affecting others. Check out my article “How Long and Complex Should Your Passwords Be?” to learn more about password best practices.
2. Use and two-factor authentication (2FA)
2FA enhances your email account security by requiring a second form of verification beyond just a password. This could be a code sent to your phone or email, a fingerprint, or a hardware token. This makes it much harder for hackers to gain access to accounts, even if they have the password. One of the most secure and convenient 2FA methods is using a password manager like Google Authenticator.
3. Regularly updating email software and systems.
Regular updates to your email client software like Gmail or Apple Mail help protect against vulnerabilities that hackers might exploit in software. Developers of these mail apps, like Google and Apple, routinely release patches and updates to fix security issues, so keeping software up to date is vital for maintaining security. In addition to the mail client, ensure that you keep your operating systems updated with the latest software as well.
4. Being cautious of unsolicited attachments and links
Cybercriminals often use email attachments and links to deliver malware and phishing scams. If you receive an email with an attachment or a link from an unknown sender, or if the email looks suspicious, it’s best to avoid clicking on anything until you can verify its legitimacy. Even if you receive links from known senders, you should examine them carefully. Sometimes, an attacker may have compromised their account and is using it to target others.
5. Avoiding public Wi-Fi for sensitive email access
Public Wi-Fi networks are often unsecured, making it easier for hackers to intercept data. When accessing sensitive information such as emails, especially those containing personal or financial information, it’s safer to use a secure network or a virtual private network (VPN) to encrypt your connection.
6. Implementing SPF, DKIM, and DMARC to reduce email spoofing
Organizations can enhance their email security by implementing these advanced measures:
- SPF (Sender Policy Framework): This is a protocol used to verify that an email is sent by an authorized sender. It helps reduce email spoofing by checking incoming emails against a list of authorized IP addresses and email servers. Any email from an unknown server is blocked automatically.
- DKIM (DomainKeys Identified Mail): This adds a digital signature to emails, which helps verify that the email has not been altered in transit and confirms the authenticity of the sender.
- DMARC (Domain-based Message Authentication, Reporting & Conformance): This protocol uses SPF and DKIM to determine the authenticity of an email and specifies how mail servers should handle emails that fail these checks.
7. Using email security software
Email security software helps protect against spam, malware, and phishing attacks. Spam filters, such as those in tools like Microsoft Defender 365 and Google Workspace Security (for Gmail), work by blocking suspicious emails based on patterns and known threats. Using antivirus software also enhances protection by scanning attachments and links for malware, helping to prevent infections before they reach your inbox.
What you should do When your email account is compromised
In the unfortunate event that your email account is compromised, it’s essential to act promptly to secure your information and prevent further damage. Here’s a detailed breakdown of the steps you should take:
Immediate Action
- Change Your Passwords: As soon as you suspect that your email account is compromised, immediately change your password while you still can. Make sure to choose a strong and unique password.
- Enable Two-Factor Authentication: If your email provider offers it (most providers do), enable two-factor authentication (2FA) to make the account even more secure.
- Notify Your Contacts: If you are not able to change your password, use any other channel to inform your contacts that your email account has been compromised. Warn them not to click on any suspicious links or attachments they might receive from your address.
After Recovering the Account
- Check Account Settings: After recovering the compromised account, look through your account settings for any unauthorized changes. Pay special attention to email forwarding settings, recovery information, and account security questions.
- Scan for Malware: Use reputable antivirus software to scan your devices for malware that may have led to the compromise.
- Review Recent Activity: Check your email’s recent activity for unfamiliar logins or actions. Many email providers offer a feature to see recent account access.
- Notify Relevant Authorities: If sensitive information was exposed or if you’re a victim of identity theft, report the incident to the appropriate authorities, such as the Federal Trade Commission (FTC) in the United States.