10 email security best practices to protect your small business

The single biggest threat to your business’s online security is malicious emails. As owners and managers, it’s up to you to require email security best practices among your employees and institute a security-minded culture within your organization.

Contrary to popular myth, the most effective hacking techniques require almost no technical skill. A hacker only needs an internet connection, an email account, and a knack for deception. Phishing email attacks remain the most common and devastating attack vector. These attacks use various social engineering strategies and target end users (i.e. your employees) rather than infrastructure.

These attacks have become so widespread that the FBI put out a public service announcement in 2022, calling business email compromise “The $43 Billion Scam(new window).” Filings with financial institutions between June 2016 and December 2021 revealed compromised business emails impacted more than 240,000 victims in all 50 states and 177 countries. 

In this article, we explain how implementing email security best practices can minimize your organization’s vulnerability.

Email security best practices

Given that hackers tend to exploit human mistakes rather than technical ones, your company’s security policy should emphasize each employee’s role in preventing cyberattacks. Here are the main points you may want to focus on:

1. Education

The most important thing you can do is keep security a priority among your team. Start by understanding the common phishing attacks and share updates and reminders with your employees regularly. We’ve published articles documenting new kinds of phishing scams. You might want to share examples of attacks you receive with your team to keep them alert.

2. Limit public information

Attackers cannot target your employees if they don’t know their email addresses. Don’t publish non-essential contact details on your website or on any public directories, including phone numbers or physical addresses. All these pieces of information can help attackers engineer an attack.

It’s good practice to limit the number of people who know your real email address. Proton allows you to create multiple email addresses (including email addresses using your company’s custom domain with a Proton Business Suite plan). Additionally, hide-my-email aliases in Proton Mail are a way to protect your identity, control spam, and prevent phishing.

Hide-my-email aliases are unique, randomly generated email addresses you can share publicly instead of your real email address, meaning you can create accounts, receive emails, and reply in your Proton Mail mailbox without revealing your identity. 

A Proton Business plan will give you an unlimited number of aliases to create as many as you need. You’ll find your hide-my-email aliases in our new Security Center in Proton Mail. 

3. Carefully check emails

Phishing attacks are seldom perfectly executed. Often there’s a tell, such as a bizarre address (e.g., unusual links (e.g., or a high number of typos or formatting mistakes in the text. If it looks suspicious, employees should report it.

4. Beware links and attachments

Your employees should be skeptical anytime they receive an email from an unknown sender. Do not click on links or download attachments without verifying the source first and establishing the legitimacy of the link or attachment. Attachments are especially dangerous because they may contain malware, such as ransomware or spyware, that can compromise the device or network.

5. Hover over hyperlinks

Never click on hyperlinked text without hovering your cursor over the link first to check the destination URL, which should appear in the lower corner of your window. Sometimes the hacker might disguise a malicious link as a short URL. You can retrieve the original URL using this tool(new window).

6. Never enter your password

Unless you’re 100% certain the website is legitimate, you should never enter your password anywhere. If you aren’t logging in to your account and you haven’t requested to reset your password, then password reset links are likely part of a phishing attack. Password managers, in addition to helping you use strong, unique passwords, can detect fake websites for you.

If in doubt, ask. It’s better to be safe than sorry. Your employees should be instructed to check with IT staff or a manager any time they have doubts about an email.

7. Enable two-factor authentication (2FA)

As another line of defense against account compromise, Proton allows you to enable two-factor authentication (2FA)or make it mandatory for your org. When enabled, 2FA requires you to enter a six-digit code generated on your smartphone before gaining access to your account, in addition to your username and password. This assures that even if hackers learn your password, they would still be prevented from logging in.

8. Monitor authentication logs

Authentication Logs are another special security feature in Proton Mail. This allows you to check whether someone else has access to your account. If someone else does have access or if you accidentally stayed logged in on a device you don’t control, you can log out of other sessions remotely.

9. Use a VPN 

The virtual private network (VPN) was originally developed to let remote workers securely access corporate intranets as though they were physically connected to their office’s local area network (new window)(LAN). 

Many businesses may find it useful to provide employees individual VPN subscriptions to give them the ability to access the internet privately.  

Proton VPN for Business (new window)encrypts the online traffic of your business to provide an extra layer of defense against hacking and surveillance. When you connect to Proton VPN’s unique Secure Core architecture(new window), your internet traffic is routed to a VPN server in a privacy-friendly country, such as Switzerland, Iceland, and Sweden. That means any third party monitoring your traffic will only be able to trace it back to the edge of Proton’s VPN network, allowing you to conduct business with a strong sense of security and privacy.

A VPN for your business could be particularly useful for employees who must travel across international borders, where governments are increasing internet restrictions and content censorship(new window), making it difficult to use the internet freely. With Proton VPN, you can bypass region blocks and censorship, allowing you to access the content you need to do your work while being safe and private. 

10. Use a secure email service 

Security training is your best defense, but it isn’t the only defense. It’s important to choose an email service provider that takes security seriously. As a privacy-first alternative to platforms like Microsoft and Google, Proton Mail uses advanced encryption to make sure nobody — not even Proton — can access your data. We have also implemented a number of unique security features designed to minimize the threat of email-based attacks on your small business, including several dedicated anti-phishing technologies

Using Proton Mail is just like using any other email provider, so you won’t need to do any training or onboarding with your team. All the encryption happens automatically, with no extra steps. 

Protect your business with Proton

A Proton business plan includes Proton Mail, Proton Calendar, Proton Drive, Proton Pass, and Proton VPN. With these tools, you can communicate privately, store and share files securely, manage your team’s login details and bank cards, and ensure your internet connection is private. Launching the suite of tools that comes with your Proton business plan is a straightforward process with a few easy steps.

We offer three Mail plans:

  • Proton Mail Essentials: Our simplest plan offers secure email with 15 GB of total storage and 10 addresses per user, support for three custom email domains, and basic VPN access on one device per user. This plan also includes basic features for Proton Pass and Proton Drive.
  • Proton Mail Professional: Our robust email and calendar plan offers advanced security and premium features. You get 50 GB of total storage and 15 email addresses per user, support for 10 custom email domains, and one VPN connection per user. This plan also includes Proton Sentinel high-security program, custom workspace branding for your company, and basic features for Proton Pass and Proton Drive.
  • Proton Business: Our upgraded business plan gives you secure email with 500 GB of storage and 20 email addresses per user, support for 15 custom email domains, and the highest speed VPN on 10 devices per user with more servers worldwide and extra security features. This plan also includes all Proton Pass and Proton Drive functionality.

Read all about our business plans

We built our user-friendly platform with familiarity and ease of use in mind. We have published a number of resources on our website, including this safe email guide and resources about the GDPR and HIPAA, that can help guide your organization’s security policy. 

By following the email security best practices above and choosing a security-focused email service, you can significantly reduce your chance of falling victim to an email attack and keeping your business safe.

Protect your business with Proton
Get Proton for Business

Related articles

If you’re comparing different password managers or researching password security, you’ll quickly run into terms like hashing and salting. While these terms might sound like steps you take to make breakfast potatoes, they’re actually processes that ar
People often choose to remove their personal information from the internet due to privacy and security concerns. For example, oversharing on social media can expose you to phishing attacks, identity theft, and cyberstalking. Plus, your data is highl
It’s been roughly three months since the European Union’s Digital Markets Act (DMA), which aims to restore competition and fairness to the internet, came into effect for Big Tech monopolies. Since then, Google has done precisely nothing to comply wit
Today we’re announcing enhancements to our business plans, further enriching our commitment to delivering the best privacy experience for businesses. These upgrades will help us continue expanding our feature suite for organizations, while giving mor
Proton Pass brings secure and private password management to all devices
Today, we’re excited to announce the launch of the Proton Pass macOS app and the Proton Pass Linux app. One of the most popular requests from the Proton community was a standalone desktop app, which is now available on every major platform — Windows,
When you use the internet at home, connected to everything from fitness equipment to game consoles, smartphones, and laptops, marketing companies could be watching you with a tiny piece of surveillance tech you might not even know about. We’re talki