Learn about email security and simple ways to secure your mailbox against cyberthreats.
From intimate letters to purchase receipts, financial information to doctor’s notes, our mailboxes are a trove of personal information. You don’t want to share all that with strangers, least of all criminals.
Yet email remains one of the main ways cybercriminals target individuals and organizations worldwide. In the US alone, thousands fall victim(new window) to email-based cyberattacks like phishing or ransomware every year, often leading to identity theft(new window), credit card fraud, and other crimes.
That’s why securing your email is vital for work or play. We explain email security, types of email attacks, and 10 simple ways to secure your mailbox.
Email security definition
How secure is email?
Types of email attacks
Why email security matters
10 tips to secure your email
Final thoughts
Email security definition
Email security means taking measures to secure the contents of emails and protect individuals and organizations from common email-based cyberattacks.
That means protecting your inbox from malicious hackers, preventing phishing attacks and spam, blocking malware(new window), and using encryption to prevent others from accessing your email.
However, email was never designed to be secure or private, and most email services don’t ensure your emails are safe all the time.
How secure is email?
Most big email providers, like Gmail and Outlook, use encryption to secure your emails. They use:
- Symmetric-key encryption(new window) like AES(new window) to encrypt your emails when they’re stored.
- TLS/SSL to encrypt your messages when they’re being sent from A to B.
But TLS only works if the recipient’s email server also uses TLS. As Microsoft explains about Outlook(new window), “the message might not stay encrypted after the message reaches the recipient’s email provider. In other words, TLS encrypts the connection, not the message.”
In addition, providers like Gmail and Outlook retain the encryption keys to the emails stored on their servers. So they can decrypt them and share them with third parties, like advertisers and governments. And if your email provider suffers a data breach, a hacker could access the keys to decrypt your data, as breaches at Yahoo(new window) and Microsoft(new window) have shown.
The only way to secure your emails from third parties is to use end-to-end encryption, as we do at Proton Mail. With Proton Mail, when you write to someone else on Proton Mail, your message is automatically encrypted on your device before it passes over the internet. Only the recipient has the key to convert the text back into a readable message on their device.
And if you want to write an end-to-end encrypted message to someone who isn’t on Proton Mail, you can send a Password-protected Email.
Proton Mail also uses zero-access encryption to store emails. That means we immediately encrypt any unencrypted messages you receive from services like Gmail. No one but you has the private key to decrypt them, not even Proton.
Apart from the direct threat to your data outlined above, cybercriminals can manipulate or exploit various components of emails, such as:
- Sender (From and Reply-To addresses) and display name: Cybercriminals can “spoof” (forge) the sender’s name and address so you think the email is from someone you trust.
- Subject line and body text: Fraudsters can design subject lines and messages to trick you into taking damaging action, like divulging personal details.
- URLs and attachments: Emails can contain links or attachments that look legitimate but might lead to malicious websites or trigger malware downloads.
- Email headers: Cybercriminals can manipulate email headers to cover their tracks and make emails look more legitimate.
- Email trackers: Emails can contain spy pixels, typically single-pixel images that track you or hide or distract from malicious content in the message, or tracking links that monitor how you interact with it.
Cybercriminals can exploit these email components to launch various kinds of attacks.
Types of email attacks
Here are some common ways malicious actors may access or otherwise exploit your email account.
Malware
Malware(new window), or malicious software, is any file or piece of code designed to harm or gain unauthorized access to a computer or computer network, including your smartphone or tablet. Common types of malware include viruses(new window), worms, Trojans, adware, spyware, and ransomware. Email is commonly used to spread malware through phishing attacks.
Phishing
One of the greatest threats to email, phishing is when attackers send you a fake message to trick you. The message appears to be from a legitimate source, like your bank or a popular service like PayPal or Facebook. But the aim is to trick you into revealing sensitive information (like login or credit card details) or downloading malware on your device.
Spoofing
Email spoofing is when bad actors forge or “spoof” an email address, for example, the sender’s address in the From field, to make a message look like it comes from someone you trust. Commonly used for phishing and business email compromise(new window), spoofed emails try to trick you into revealing sensitive information or clicking on a malicious attachment.
Spam
Spam email is any unsolicited and unwanted messages sent out in bulk by email, typically for commercial purposes. While spam emails may be legitimate ads, scammers may use them to launch phishing attacks and distribute malware.
Account takeover
Using the methods above, scammers may steal your email account username and password to gain access to your account. Or they may crack your password with a brute force attack(new window) or buy your username and password on the dark web if your email login details are leaked. Once inside, they can monitor your messages, steal more personal information, or use your address to launch malware attacks and spam to your contacts.
Man-in-the-middle attacks
A man-in-the-middle attack(new window) is where an attacker manipulates an email as it’s being sent from the sender to the recipient without their knowledge. By intercepting emails in transit, attackers can eavesdrop on the communication or alter the content of the emails.
Why email security matters
Securing your email account is not just about keeping the intimate details of your life to yourself. As email is one of the main vectors for cyberattacks, ignoring your email security could have devastating consequences.
In July 2022, some home buyers in Charlotte, North Carolina, received a message from a realtor to wire $400,000 for an escrow payment. But after they sent the money, they realized the email was spoofed. The message was from a fraudster.
Luckily, they managed to stop the payment in time, the FBI reported(new window). Others have not been so lucky.
Thousands of businesses in the US are hit by business email compromise(new window) every year, resulting in losses of around $50 billion worldwide over the last decade. If you run a business, taking steps to secure your email is critical to:
- Avoid financial and sensitive data loss
- Comply with data privacy regulations
- Maintain your reputation and the trust of customers
- Ensure business continuity if you’re hit by a cyberattack
In short, securing your email is critical for anyone who has an email account, whether for work or personal use.
10 tips to secure your email
Here are ten best practices to keep your email account secure.
1. Use end-to-end encryption
Switch to an end-to-end encrypted email service, like Proton Mail. With Proton Mail, you can automatically send end-to-end encrypted messages to others on Proton Mail or send Password-protected Emails to non-Proton users. No one but you and your intended recipients can read them, not even Proton.
2. Use a strong password and password manager
Make sure you use strong, unique passwords for your email and other online accounts. To help you generate unique, strong passwords and store them securely, get a good open-source password manager like Proton Pass.
3. Enable two-factor authentication (2FA)
By enabling 2FA, you can protect your email account if your password is lost through a data breach or phishing. If you use Proton Mail, you can set up 2FA with an authenticator app and/or U2F security keys.
4. Beware of phishing
Learn how to spot signs of phishing and avoid clicking on suspicious links or downloading attachments in emails from unknown senders. Switch to a secure email provider like Proton Mail, which has PhishGuard advanced phishing protection to flag potential attacks.
5. Block spam with filters
Don’t open spam emails or respond to them, especially if you suspect phishing. Delete them. Secure email providers like Proton Mail automatically filter out spam, and you can use spam and block lists to customize filters or block a sender in a few clicks.
6. Protect your email with aliases
By using an email alias, random email addresses that forward messages to your main inbox, you can hide your personal email address. Use Proton Pass hide-my-email aliases to create accounts online and protect your real email address from being disclosed or leaked.
7. Use email authentication
If you have your own email domain (for example, you@yourdomain.com), implementing email authentication methods like SPF, DKIM, and DMARC is vital to protect your domain from spoofing and improve deliverability. If you’re on a Proton Mail paid plan, you can set up your custom domain and SPF, DKIM, and DMARC with a simple wizard.
8. Block email tracking
Emails can contain spy pixels, which can send sensitive information back to the sender when you open them, or tracking links. Block spy pixels by stopping images from loading automatically, or switch to Proton Mail, which blocks spy pixels and known tracking links by default.
9. Get good antivirus software
Install good antivirus or internet security software, which includes spam filters to block potential phishing emails and scans for all kinds of malware. Make sure it’s updated with the latest virus/malware definitions.
10. Keep your devices updated
Set your computer or phone operating systems, emails clients, and other apps to update automatically so that you always have the latest versions with security patches. Malware delivered by phishing emails or other means can exploit vulnerabilities in operating systems and other software.
Final thoughts
Email security is vital to protect your sensitive information, defend against cyberthreats, and protect your privacy online.
Follow the simple tips above to keep your email secure and private, and spread the word among family and friends. If you run a business, train your team about the dangers of phishing and other basic email security.
An easy first step to secure your email is to switch to end-to-end encrypted Proton Mail or Proton for Business if you need email for work.
With end-to-end encrypted Proton Mail, Proton Calendar, Proton Drive, Proton VPN(new window), and Proton Pass, no one but you can access your data. Not even Proton.
Proton Mail also features automated anti-abuse and account security and Proton Sentinel, an advanced high-security program for those who need maximum account protection and support. So join us, and stay secure!