Day to day, we don’t pay much attention to the contents in our email mailboxes. We don’t even assign much value to the data that they hold.
But for a hacker, every individual’s email is a hidden treasure trove; a crime spree just waiting to happen.
In a few seconds, someone could extract dangerous amounts of personal data from your email account. They could trigger a password reset for dozens of online accounts and services, and cause serious problems for your employer. They could fire out malware to your entire contacts list, or comb through attachments for a photo of your password.
Email security isn’t something you should take for granted. It’s a very real threat. This step-by-step guide shows you how to stay safe by securing your email account, your message, and your internet connection.
Improve your password skills
Hopefully, nobody reading this article is using the word ‘password’ as a password for their email. But you might unwittingly be using passwords that are easy to guess, like your date of birth, or your mother’s maiden name.
Believe it or not, the most common password in 2017 is 123456. Yes, really.
The second isn’t that imaginative, either. It’s… yep. 123456789.
When a hacker tries to get into your email account, they will initially try these super-simple, unsecure, but incredibly common passwords. They’ll run their script and see if they get lucky.
It’s really not difficult to outsmart them:
- Get into the habit of creating long passwords
- Don’t use repeating numbers (111111) or sequences (qwertyuiop)
- Mix of numbers and letters
- Avoid real words.
Additionally, you should use unique passwords for every site or app that you use. This is really important, because if a site gets hacked, and your login data is exposed, your password will probably be posted online with your email address. You need to make sure you don’t inadvertently open up access to all of the sites you use.
There are two very simple ways to create unique passwords without giving yourself a headache:
- Use a password manager. Allow it to create unique passwords and save them to a secure virtual vault that only you can access. LastPass and 1Password are worth considering for this purpose, but remember to create a highly secure ‘master’ password.
- Come up with your own ‘code’ system that only you know. When you sign up to a new site, use your system to build a new password.
Option 2 is a potentially powerful way to help you remember near-unique passwords without writing them down. For example, you could use a base password of qwe!x123@ and embed the first three letters of the site’s domain name in the middle. For example:
- This site’s password would be qwe!xtop123@
- Your password for observer.com would be qwe!xobs123@
It isn’t a perfect system. But it’s better than using one password everywhere. You can probably come up with a better code yourself.
(Don’t copy the above example exactly. It isn’t very secure – particularly now we’ve published it on the internet!)
Review apps and integrations
For convenience, we connect all kinds of applications and services to our email accounts and social media profiles.
Periodically go through these and revoke access to services you no longer use.
This is important for two reasons:
- If you don’t use an app, and it winds up being hacked, you’d probably never hear about it. Yet the hacker could have access to your email.
- Services sometimes change policies and start to use data in new ways, and you might not get the memo. For example, Unroll.me is one example of a company that started selling data about its users’ email usage.
If you use Gmail or G Suite (the new name for Google Apps), you can quickly review and revoke access here. Other providers’ procedures vary.
Secure your devices
This one should be a no-brainer, but it’s worth saying anyway: secure access to your phone and computer with the strongest possible method.
Also, ensure it doesn’t start up unlocked, or stay unlocked for long periods, even when you’re at home. It takes seconds for someone to try your door and make off with your device.
Sure; unlocking your device every so often is a pain in the butt. But being hacked is far worse. If someone has your unlocked phone, they have access to everything – including your email.
Encrypt sensitive emails
If you send emails containing sensitive data, you should always use a method of encryption. And it’s important to remember that there’s a difference between your session security and the security of email messages.
Just because your webmail provider uses https://, that isn’t enough to keep your emails secure. You need to set up encryption on top.
To understand why, we need to look at how emails are sent and received.
Providers that use https:// are only encrypting your connection to their server, just like your bank does when you log into your account. Once an email is sent, all bets are off. Some providers will secure emails sent within the same service (for example, a Gmail email sent to another email on Gmail’s servers). But if the email leaves Google for another service, it likely won’t be secured at all. And the provider is still logging details, regardless.
Encryption is a complex topic, and we aren’t going to get into the technical fine print here. There are other guides on the internet that explain it in detail.
But thankfully, there are some very simple ways to encrypt your emails, and you don’t need to be a cryptographer to set them up.
Here are our favorites:
- Mailvelope is a useful add-on for Chrome that adds OpenPGP security to many popular webmail services, including GMX and Gmail. You can email anyone with a public key without much hassle. All you need to do is create your own key pair, which is clearly explained.
- Protonmail is a webmail service that offers completely secure email, and it doesn’t retain any logs. You can’t use regular PGP keys with it, which is the main downside. But you can still email anyone securely by inviting them to click on a link and read a secure message in their browser. A free plan is available, and you can also set messages to expire.
- Tutanota is one of the few email services that can encrypt the email’s subject line along with its contents. It also encrypts your contacts and attachments. Again, the basic plan is free (private use only).
- Snapmail forces Gmail messages to expire, much like a SnapChat message. It’s easy to use; just click ‘Snapmail’ instead of ‘Send’.
- Microsoft Office offers encryption, but you may have to pay extra to switch it on, depending on your existing plan.
In truth, email is lagging behind when it comes to security. But encrypted email has never fully taken off because users find encryption complicated and confusing.
For general purpose usage, the above services all make secure email simple enough for a novice. Give them a try.
Use a VPN
A VPN cannot make your email secure by itself. But it should still form part of your internet security toolkit.
The key point here is that email security doesn’t start and end with the message. There are a number of factors at play, including the security of your connection.
Many hackers use man-in-the-middle attacks to gain access to email, and this is exactly the kind of attack that a VPN will prevent. In a man-in-the-middle attack, a hacker interferes with the transmission of data from one computer to another. It’s essentially eavesdropping, but with the potential to actually alter the data as it moves back and forth.
When this kind of hack takes place, you might be unwittingly revealing the contents of your emails as they’re sent. These kinds of attacks are dangerous. You’ll never know that you’ve been targeted, and you might be redirected to fake websites that look perfectly legitimate.
VPNs offer multifaceted protection against a variety of online threats. If you fire up your VPN before using email, you essentially place all of the data between you and your email server into an encrypted tunnel. That prevents anyone from seeing it. If you’re using a public Wi-Fi connection, you should always use a VPN before using the internet for this reason.
Remember: a VPN does not make email messages secure. But it makes a good companion to encryption when you want to cover all bases.
Use email sensibly
In 2011, Mark Zuckerberg claimed that email was dying a death. Six years on, we’re still using it as enthusiastically as ever. Just for once, Zuck got it wrong.
But he did foresee an important change: people are more interested in security than they used to be.
Email, by default, isn’t a suitable channel for sending your social security number or credit card details. Never email anything that you wouldn’t be comfortable printing out and sticking to your front door. WhatsApp and Facebook Messenger are actually safer because they offer full end-to-end encryption.
So if you need to send someone a scan of your ID card, it’s much safer to use a messenger app than it is to use your email. Likewise, it’s important to learn to trust your spam folder and filters. Scammers are very good at sending malware attachments that are convincingly disguised as fake invoices or gift certificates.
And email hacking is favored by some of the biggest and most powerful hacking groups in the world. If the contents of your email is likely to get you in trouble with authority, you shouldn’t be using unsecured email at all.
The internet has brought huge convenience, and we’ve become complacent. We leave our devices switched on and logged in all the time. When we connect to public Wi-Fi, we browse without really thinking. Our email accounts are constantly vulnerable.
Here’s the first golden rule. The more convenient something is, the less secure it is, too. It’s super-convenient to leave your back door open all day long, but you’re presenting an intruder with an easy route into your home. Exactly the same principle applies online: securing your email makes it less convenient, but even the slightest improvement offers better protection.
Here’s a final golden rule to remember. Hacking is not difficult. But the average hacker is lazier than you. They don’t want to put a lot of effort into committing fraud; they want that door left open for them. By making a few small changes, you can stop them in their tracks.