Hackers abound. We see more and more news headlines about not just eBay accounts getting hacked, but major international banks getting hacked.
And while there’s no sane way for the average person to be sure their information is 100% forever safe (you can’t even buy laundry soap at Target 100% safely) there are quite a few things you can do to stay mostly out of harm’s way. Many of them are even free.
So here’s a list of the best ways to protect your email account (or accounts). Quite a few of these are best practices for Internet wide security, especially because so many security breaches start in the inbox.
1) Use secure passwords.
It’s painful to see how weak most passwords are. Don’t let yours be a pushover. A “good” password is at least 10 characters long with a mixture of upper and lowercase letters. Good passwords will also have at least one number and one special character thrown in for good measure.
2) Use SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
SSL and TLS are very similar. When used for sending emails, both result in your emails being sent securely between your computer and your SMTP service. Your SMTP service should also properly encrypt emails (using the latest version of TLS) between itself and the recipient’s mail server. This step in the email delivery process requires the recipient’s mail server to support SSL/TLS. SMTP2GO always encrypts emails wherever technically possible.
3) Have good antivirus software installed on every computer.
This is one of our recommendations that will certainly help your email security, but also the security of everything else on your computer. PC Magazine has named Webroot SecureAnywhere AntiVirus, Norton AntiVirus, Kaspersky Anti-Virus and Bitdefender Antivirus Plus as their top choices for anti-virus software. You can see how these products compare in the graphic below.
4) If you have many different people sending emails in your business, create a different SMTP username for each sender.
That way, if someone’s computer gets hacked and that computer starts sending spam, then it’s easy to disable that one SMTP username without affecting any other users.
Of course, we also recommend you change the password on that infected computer and SMTP account immediately. To learn more about how to do this, see the SMTP2GO help topic on multi-users.
5) Be extremely careful about opening attachments.
If possible, scan any email with an attachment before you open it, especially if it is from someone you don’t know. Nine out of ten viruses or malware get on to computers via attachments.
6) Consider encryption (like OpenPGP) for sensitive emails.
Some of these plugins (and software) can even stop entities like the NSA. If you want to set them up, look into gpg4win (GNU privacy Guard for Windows). There’s a fairly detailed tutorial on how to set this up here.
If nothing else, break sensitive information into two or more parts, then send each part in a separate email. That at least makes it harder for unscrupulous people to get the information they need to do damage.
7) Consider multiple email accounts.
According to a Harris Interactive 2013 poll, the average Internet user has 3.1 different email accounts. That’s up from the year before, when they found the average person had 2.6 accounts.
There’s wisdom in this. It’s called not putting all your eggs in one basket. Don’t put all your emails in one inbox, either, because if that inbox gets compromised, you’re in trouble. Besides, many email services (like Gmail) will request you submit a backup email address, just in case there’s trouble with your account.
Of course, having more than one email account both helps and hurts email security. On the good side, it lets you hedge your bets, in case one account goes down. But it also creates another account, and thus another access point for trouble. Despite that conflict, I’m certainly glad I have more than one email account, both for managing all the emails I get, and because when I have had an email account hacked, it’s been a lifesaver to have a backup email account. The backup account lets me continue to get email messages and gives me a safe inbox to send the password change email to.
8) Consider not showing your email address in public places where it can be scraped.
If you have to include a working email address on a public document (like a press release), consider using a secondary email account. Using an email address tied to an account that you could do without will keep things neater later on, should that email account become compromised.
This tactic won’t work for everyone, but it should at least serve as a reminder: Keep your email address as private as possible and you’ll avoid many potential problems. An ounce of prevention is still worth a pound of cure.
It’s a good idea to Google your email address every so often, to see if it is listed on any page in the results. If your email address does show up in the results, see about getting it removed from those pages.
If you have your own domain name, consider using a private WHOIS service to hide your email address. Or, use a different email address (e.g. beginning with domain@), so you at least know where a spammer harvested your email address. If you receive spam at a domain@ email address, it gives clear evidence the person emailing you harvested your email address from your WHOIS record, and is therefore spamming you. You can then complain to the spammer’s ISP (see point 10 for how to report spam).
9) Don’t include sensitive information in your email messages.
This is known as “data leakage” among security experts, and email is one of the primary sources of it. If you have to give someone sensitive information, consider calling them. If you have to send a sensitive document, perhaps snail mail might be worth the wait. If it’s not, Google Drive is a good free service that lets people share documents. Edward Snowden recommends SpiderOak as another secure way to share documents.
10) Don’t reply to spam or phishing schemes.
Replying to spam just notifies the spammer they’ve “got a live one”. Don’t do it. Besides, more than 3% of spam carries malware. If that sounds like a paltry percentage, go look in your “bulk” email folder, aka your spam folder. You’ve probably got a couple hundred spam messages in there right now. That translates into six or more malware emails, just sitting there, waiting for you to click them.
Instead of replying to spam, follow our instructions for how to report it.
11) Be careful about public Wi-Fi.
I know, I know: You have to check your email for work. And so you have to use an airport’s public Wi-Fi, or a coffee shop’s public Wi-Fi. We all understand. But also understand that public Wi-Fi is a fantastic opportunity for hackers, and for people who aren’t even crafty enough to deserve to be called hackers.
If you just have to use that Wi-Fi network, at least verify you’re on the actual free network, not the “free” network a hacker set up to look like the coffee shop’s (or the airport’s) network. Next, make sure there’s a “https:” at the beginning of the url where you log in. If you don’t see the “s” in the “https”, or if you get a warning that there’s a problem with the security certificate, don’t use that network.
If you’re feeling really paranoid, get signed up for a VPN (virtual private network) service. Private Internet Access and Tunnel Bear are two popular choices. So is F-Secure. They’re less than $10 a month and don’t require a technical degree to use.
