Why is email security important? Well, email is one of the most popular attack vectors for cybercriminals. Organizations and private individuals worldwide send millions of emails every day and nearly every email contains some piece of information (financial data, personal data, etc.) that could help a cybercriminal launch a profitable cyberattack.
- Email security precautions will vary between personal and business uses. What works for one may not work as well for the other.
- The two main categories of email threats are inbox threats and transit threats. The former passively waits in a malicious email, while the latter involves a targeted attack.
- Gmail, Thunderbird and other popular email services feature TLS encryption by default. There are many encrypted messaging apps for those who want end-to-end encryption.
In this article, we’ll walk you through some of the most common email security threats and what you can do to protect your privacy. We’ll cover the different types of email encryption and some recommended security best practices for individuals and businesses.
09/17/2021 Facts checked
Updated info on personal vs business email security, VPNs, DMARC and phishing exercises.
Email security can be roughly categorized by personal and business use. The former involves protecting the communications of one person, whereas the latter involves email protection for an entire company and its clients.
Email security requires knowledge, first and foremost. Learn about all the ways your emails could be abused by malicious entities online and use discretion when opening emails from unfamiliar sources (or even familiar ones).
Individuals can improve their email security by using a VPN, installing antivirus software, using stronger email encryption protocols and employing email filters. Businesses can benefit from each of these — plus DMARC, phishing exercises and multi-factor authentication — to protect sensitive information.
Understanding Email Security
Your emails may seem mundane to you, but every message you send is a goldmine for cyber-thieves. Sending sensitive data, such as financial information, via email is commonplace in modern times. However, configuring a strong security setup to protect those emails is a less common practice. After all, why would a casual message to a friend need extra security?
It’s tempting to think your emails are valueless when they don’t contain financial or personal data, but even data as innocent as your dog’s name or the name of your school can expose your identity. Cybercriminals collect as much data as they can in order to piece together who you are and how you could be targeted in a future cyberattack.
In other words, hackers want your emails, even if you think there’s nothing valuable in them. No matter what you put in your email, every message provides the raw material for phishing attacks, credential theft, identity theft and a range of other cybercrimes.
Email Encryption & Filtering: Is Email Secure?
Most email applications implement basic email security precautions like encryption and spam filtering, but email security threats are evolving every single day. While spam filters may catch the majority of malicious messages targeted at your inbox, we don’t recommend relying on the default security features included in Gmail, Thunderbird or other popular email services.
Before we move on to the top email security problems and their solutions, always remember that your cybersecurity practices make up the foundation of your privacy. No amount of technology will protect you if you do not clearly understand the threats to your data and exercise sound judgment in all of your online activities.
Types of Threats With Email Accounts
Poor email security will expose your data to a variety of different threats online, which can be categorized into two groups: inbox threats and transit threats.
Inbox threats are malicious emails that provide a springboard to subsequent fraudulent activities. They usually come in the form of phishing emails that contain malicious links to hacker-controlled domains or malware installations.
“Phishing” messages are messages designed to lure the recipient into disclosing their personal data using some kind of bait. Phishing attacks come in many shapes and sizes — bulk phishing, spear phishing, whaling, etc. — but in short, they’re fake messages purporting to come from a trusted sender. Creating a sense of trust with the recipient is essential for successful phishing attacks.
The other major email security threats are transit threats, or outbound email traffic threats — those that target emails on their way to the recipient. Man-in-the-middle (MitM) attacks are the most common type of transit threat.
In MitM cyber attacks, a third party monitors the transfer of data between two parties and uses that information to craft a targeted phishing email. For example, a hacker could intercept an email from your bank and use that data to create a fake email that looks just like the official email, except with a malicious link planted in the message.
The link leads to an attacker-controlled webpage designed to look just like the real site. Entering one’s credentials into such a website doesn’t grant access to the banking service, but merely sends the credentials to the attacker for further abuse. MitM attackers usually use their device as a proxy between the sender and the targeted recipient.
Security: Email Encryption
Encryption is an essential email security solution. The most common encryption protocols used for email security are Transport Layer Security (TLS) and those that use end-to-end encryption such as S/MIME, GPG and PGP.
The TLS protocol is a cryptographic protocol that developed out of the Secure Socket Layer (SSL) protocol. TLS is designed to securely deliver data over the internet so that malicious third parties can’t intercept and access data sent from one device to another. You can tell that a website is secured with TLS by the green padlock beside the URL.
End-to-end encryption occurs before a user sends an email, then decrypts after the email arrives in the recipient’s inbox. This form of encryption is based around public keys and private keys.
The sender’s message is encrypted with a public key that prevents third parties from reading the content of the message in transit. Should someone intercept the email, the encryption scrambles the data so the message reads as an illegible string of random numbers and letters.
Once the message arrives in the intended recipient’s inbox, the recipient uses the corresponding private key to decrypt the message back into readable text.
If you want an extra layer of security to protect your emails, we recommend using email clients that come with end-to-end encryption by default. Our favorite end-to-end encryption email service is ProtonMail, which rose to fame precisely because of its encryption. Tutanota is a comparable service, and Mailfence is a general-use email client that has an end-to-end encryption option.
Email Security: Best Practices for Personal Use
As you can see, there are a multitude of threats lurking online, but there are just as many ways to defend yourself. Every email security solution involves a trade-off between security and ease of use, and some solutions are better for personal use than for businesses.
If you’re simply trying to make your personal email more secure, it might not be the best idea to invest in heavy-duty email security protections that make email too difficult to use. This is a common problem for those who try to use end-to-end encryption for their everyday emails. Let’s look at some of our options.
1. Use a VPN
One of the strongest methods of keeping your communications secure is to use a VPN, or a virtual private network. VPNs are privacy tools that will encrypt your internet traffic and route it through an intermediary server somewhere else in the world, keeping your online activities hidden from your internet service provider, advertisers and malicious entities online.
ExpressVPN is one of our favorite VPNs. Some VPNs put the priority on security, some on streaming and speed, and some manage to hit all the right marks — like ExpressVPN. It keeps your traffic secure with 256-bit AES encryption while maintaining high speeds for streaming, downloading, and gaming. Read our full ExpressVPN review here.
2. Create Custom Filters for Email Messages
Configuring your email application with custom filters should catch most of the malicious emails that evade your spam filter. Cybercriminals are coming up with new schemes every single day, so keep an eye out for suspicious emails and add the relevant keywords to your spam filters.
3. Download Antivirus Software
Sometimes you don’t know that your privacy has been compromised until after the fact. That’s when a robust antivirus program comes in handy. Antivirus software is a useful backup in the event your VPN, spam filters and other protections fail to catch cleverly designed email threats.
Your email is in good hands if you use Bitdefender Antivirus, which you can read about in greater detail in our Bitdefender review. Bitdefender detects and eliminates all malware that crosses its path and comes with loads of extra security features, including system optimization tools, an anti-theft system and file encryption, to name a few.
4. Use an Encrypted Messaging App
If standard email applications like Gmail aren’t secure enough, there’s always the option of keeping all of your messages encrypted with an encrypted messaging application.
Most email applications use TLS by default but aren’t equipped with stronger email security protections like end-to-end encryption, which is inconvenient to implement for everyday messaging. That’s because it requires both the sending and receiving devices to be configured with it.
Opting out of email communication for encrypted messaging apps won’t force you to make compromises with security. Signal Private Messenger is a popular encrypted messaging app for iOS and Android built with open-source code.
Email Security: Best Practices for Business
Business owners need to bring their corporate email security up a notch from the personal protections outlined above. Failure to implement security best practices will result not only in the compromise of an individual’s privacy, but the privacy of the business’ employees, partners and customers as well.
If you’re at the head of an organization with employees, there are many company-wide measures you can take to combat phishing, malware and other cyber-threats.
1. Phishing Exercises for Employees
Your employees are the first line of defense. A well-trained workforce capable of identifying phishing emails is essential for the security posture of any business. Regularly testing your employees’ use of security best practices with false phishing attacks will keep everyone sharp and alert.
Anyone who clicks on a “malicious” link inside the message will receive a notification explaining that it was a false email and that they failed the test. The results of a company-wide phishing exercise will help the business owner gauge the security posture of each employee and inform further security decisions.
2. Multi-Factor Authentication
Passwords aren’t always enough to keep cybercriminals out. Weak passwords are a big enough threat to email security as it is, but advanced password-stuffing attacks expose email users to an even higher level of risk.
Multi-factor authentication (MFA) and two-factor authentication (2FA) are login methods that rely on more than just a password. Even if a hacker manages to guess your password or take it from a database of leaked credentials on the dark web, that won’t be enough to access the email account.
Additional authentication measures include entering a one-time passcode, answering a call or responding to a prompt through an app on your smartphone.
3. DMARC Protocol
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol widely used by businesses to prevent domain spoofing.
Cybercriminals add credibility to their phishing emails by imitating domains trusted by the recipient, often masquerading as employees of the targeted business. DMARC lets a domain owner know who is sending messages on their behalf and automatically quarantines suspicious emails.
Final Thoughts: Security for Email Accounts
Email protection needs will vary from one person to another, whether you want additional security for personal use or you’re a business owner protecting your whole enterprise. All of the most widely used email applications (Gmail, Firefox, etc.) secure their users’ communications with TLS at a minimum, but that won’t be enough email protection for most.
Do you think TLS is enough to keep you safe from phishers, scammers and MitM attacks? Or is end-to-end encryption a must for every email? Are there better ways to protect your inbox not mentioned in this article? Let us know what you think in the comments, and as always, thanks for reading.