ProtonBlog(new window)

Email security best practices your team should be following right now

Share this page

The single biggest threat to your business’s online security is malicious emails. As owners and managers, it’s up to you to require email security best practices among your employees and institute a security-minded culture within your organization.

Contrary to popular myth, the most effective hacking techniques require almost no technical skill. A hacker only needs an Internet connection, an email account, and a knack for deception. Phishing email attacks(new window) remain the most common and devastating attack vector. These attacks use various social engineering strategies and target end users (i.e. your employees) rather than infrastructure.

According to research by Symantec(new window) looking at 2016, “One in 131 emails sent were malicious, the highest rate in five years.” These kinds of attacks have become so widespread, costing businesses worldwide about$1.8 billion a year, that in 2017 the FBI decided to put out a public service announcement(new window) about it. They reported that the amount of money lost to email scams had increased 2,370% between January 2015 and December 2016.

In this article, we explain how implementing email security best practices can minimize your organization’s vulnerability.

Email security best practices

Given that hackers tend to exploit human mistakes rather than technical ones, your company’s security policy should emphasize each employee’s role in preventing cyberattacks. Here are the main points you may want to focus on:

1. Education

The most important thing you can do is keep security a priority among your team. Start by understanding the common phishing attacks(new window) and share updates and reminders with your employees regularly.

Limit public information

Attackers cannot target your employees if they don’t know their email addresses. Don’t publish non-essential contact details on your website or on any public directories, including phone numbers or physical addresses. All these pieces of information can help attackers engineer an attack.

Carefully check emails

Phishing attacks are seldom perfectly executed. Often there’s a tell, such as a bizarre From address (e.g., unusual links (e.g., or a high number of typos or formatting mistakes in the text. If it looks suspicious, employees should report it.

Beware links and attachments

Your employees should be skeptical anytime they receive an email from an unknown sender. Do not click on links or download attachments without verifying the source first and establishing the legitimacy of the link or attachment. Attachments are especially dangerous because they may contain malware, such as ransomware or spyware, that can compromise the device or network.

Hover over hyperlinks

Never click on hyperlinked text without hovering your cursor over the link first to check the destination URL, which should appear in the lower corner of your window. Sometimes the hacker might disguise a malicious link as a short URL. You can retrieve the original URL using this tool(new window).

Never enter your password

Unless you’re 100% certain the website is legitimate, you should never enter your password anywhere. If you aren’t logging into your account and you haven’t requested to reset your password, then password reset links are likely part of a phishing attack. Password managers, in addition to helping you use strong, unique passwords, can detect fake websites for you.

If in doubt, ask— Better safe than sorry. Your employees should be instructed to check with IT staff or a manager any time they have doubts about an email.

Technical safeguards in Proton Mail

Security training is your best defense, but it isn’t the only defense. It’s important to choose an email service provider that takes security seriously. At Proton Mail, we have implemented a number of unique security features designed to minimize the threat of email-based attacks, including several dedicated anti-phishing technologies(new window).

As another line of defense against account compromise, Proton Mail allows users to enable two-factor authentication(new window) (2FA). When enabled, 2FA requires users to enter a six-digit code generated on their smartphone before gaining access to their account, in addition to their username and password. This assures that even if hackers learn the user’s password, they would still be prevented from logging in.

Authentication Logs(new window) are another special email security feature in Proton Mail. This allows you to check whether someone else has access to your account. If someone else does have access or if you accidentally stayed logged in on a device you don’t control, you can log out of other sessions remotely(new window).

We have also published a number of resources on our website, including this safe email guide(new window) and resources about the GDPR(new window) and HIPAA(new window), that can help guide your organization’s security policy. By following the email security best practices above and choosing a security-focused email service, you can significantly reduce your chance of falling victim to an email attack.

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support!

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

How to share a PDF
Sharing a PDF with coworkers, friends, or family members can sometimes be trickier than it seems if you’re trying to share a large file or if you want to use secure encryption. In this article, we show you how to share any PDF quickly, easily, and se
Proton Pass for Windows
Proton Pass is launching its new app for Windows, allowing you to access our password manager from your desktop. As one of our community’s most requested features, it’s available to everyone starting today. Proton Pass is the centerpiece of our effo
password policy
Businesses are increasingly dealing with the fallout from cybercrime: The number of attacks is on the rise and the damage done is growing exponentially. One of the most common vulnerabilities for organizations are their passwords. Since they are your
How to free up disk space
If you’ve ever owned an electronic device of any kind, you know the struggle of running out of space. No matter if it’s a smartphone, laptop, or desktop computer, there never seems to be enough room for all your files. Let’s show you some simple ways
What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m