For those who need a little email sanity and easy-to-understand email security advice
Which of these sounds most like your email habits?
- I use one or two email addresses in a web browser (like Gmail)
- I use multiple email addresses in an email application (like Outlook)
- I use multiple email addresses in a never-ending dystopia about how many emails I get at all hours of the day and night
- All of the above
Most people, most of the time are doing all of the above. You have a personal email address like Gmail, a work email address that’s maybe managed by either an IT department or business-scale service like Microsoft 365. And you might throw all of these email addresses into an application like Outlook or Apple Mail to use other features like calendars and have them all in one place.
The Internet is littered with email security guides and lists with advice that isn’t practical, isn’t applicable, isn’t easy to understand, or is just alarmist and wrong.
Email security myths
Things like “avoid giving your email address away”, “log out when you’re done”, and “plan for an attack by visualizing your team’s email activity” aren’t just unlikely, they’re almost absurdly out of touch. For most people, visualizing their email looks like, “I sit down at my desk, I open the email, I send email.”
“Keep an antivirus app on your device” is also common but largely useless. Windows Defender built into Windows 10 and 11 is very good, as well as built-in security from Apple on Macs. iOS devices have a security architecture that makes an antivirus application there about as useful as handing a scuba diver a pair of latex gloves, and Android is similarly equipped to take care of itself. Most antivirus programs today are usually a drain on system resources and are focused now on preserving their business models than actually offering useful protection. The popular Norton AntiVirus software now includes a built-in Bitcoin miner of all things.
And another common tip to “change your email password frequently” isn’t just annoying, it’s a false sense of security that results in worse passwords (we know you just add a “1” or an “!” to the end of an already short word anyway). Even the FTC thinks it’s time for mandatory password changes to stop.
There is a saner way and it starts with testing your ability to spot suspicious material quickly.
About this guide
- VPC has compiled this list of email security for everyday email users and small organizations and businesses.
- Healthcare organizations should heed slightly different advice due to the differences in HIPAA compliance and patient security. Schools and universities are also targets for different kinds of attacks than what is discussed here.
- There are hundreds of combinations in services and systems, team size, and everyday realities. Someone who regularly emails with overseas suppliers is going to have a different experience than someone who works in a smaller geographic area close to home.
Email security guide table of contents
- How to spot a suspicious email
- Use the website directly instead of clicking a link
- Like domestic and child abuse, the “hackers” are likely someone you know
- The danger of phishing emails
- Spear phishing from your website and social media
- How does spear phishing work? How do they even know this about me and my team?
- Protect yourself and your team from spear phishing attacks
- Attachments and spotting malware
- Use a junk-only forwarder
- How to have good password hygiene
- Using different passwords for different email accounts
- What is a strong password?
- Avoid forced password reset periods
- Using two-factor authentication
- Difference in two-factor authentication and two-step authentication
- Understanding public WiFi networks and encryption
- Encrypt your devices
- Enable encryption on your iPhone in iOS 15
- Enable encryption on your Android device
- Enable encryption on your Windows 10 or 11 PC
- Enable encryption on your Mac
Does your team need some cybersecurity help?
VPC can conduct onsite, interactive, tabletop, and virtual cybersecurity training and audits that go beyond email security.
We’ve worked with the Midwest’s largest governments, enterprises, and healthcare providers to audit, protect, and train organizations to react and respond to malware, ransomware, cybersecurity, and more.