Last Update: 8/26/2017
Every computer user uses e-mail. Security breaches make headlines almost daily. With more and more people going online, consumers are worried more than ever about keeping their e-mail safe and secure.
E-mail is the major way most malware is transmitted across the Internet. E-mail is the largest attack vector against large companies, as it is far more difficult to physically infiltrate a company. In this article, we will help you use e-mail more securely.
A recent experiment of 150,000 test emails sent by Verizon Enterprise Solutions found that 23% of recipients opened the email, 11% click on the attachment. One person clicking on the attachment would have infected the organization. The human is the weakest link.
Secure your computer, web browser, Internet connection
Follow our guides to secure your Windows PC or secure your Macintosh by installing the right software, firewall, antivirus software, etc. Secure your mobile devices: iPhone, Android smartphone or tablet, iPad. Configure the settings and add plug-ins to you web browser so that it is more secure. Consult our tutorials for: Internet Explorer 9, Google Chrome, and Mozilla Firefox. Secure your Internet Connection: Wireless Network, Public Wi-Fi.
The Golden rules of the Internet:
- Do not trust anyone
- If it is too good to be true, it probably is
- Don’t install software from anonymous sources
- Don’t automatically hit “yes” to any pop-up
- If it looks suspicious, run
Secure Your Router
1. Configure your wireless router for optimal security. Consult our article How to set up a secure wireless router for details. For maximum security, access your e-mail when connected by a hardwired connection such as Ethernet.
Update and Secure Operating System
Secure Internet Browsers
Pick a Good Email Provider
4. Most people already have an e-mail address that they are connected to. If you are considering a new e-mail address, consider examining how sophisticated the provider is. Infrastructure and state-of-the-art spam filtering are not inexpensive. We recommend users consider e-mail addresses from providers like Lavabit, Google and Hushmail. These companies are committed to staying on the leading edge, and are accessible anywhere. ISP based e-mail is convenient, but locks you in to the ISP. The same argument applies to school or company based e-mail addresses.You can always access these e-mail account via POP access in Gmail. This will allow your email account to utilize Gmail’s excellent spam filters.
Look for e-mail providers that have good spam filters and allow you to control attachments and HTML within e-mail messages.
Make Sure Email is using HTTPS
5. Make sure you are accessing the e-mail provider’s website using a secure connection, look for https:// in the browser’s address bar and a padlock icon in the browser. A broken key, broken padlock, or any open lock indicates it is not secure.
Use Unique Passwords
6. When creating an account at the e-mail provider’s website, we recommend you use a unique password as it is far safer in case the store gets hacked. You would not want hackers to get a password that worked on other websites. Consult our How to create, store and use secure passwords article for suggestions.
Create Multiple Email Accounts
7. We recommend creating multiple email accounts for different purposes, in order to maximize online safety. Having multiple email accounts linking to different accounts online. One example would be to have one email account for forums, one for banking, and one for shopping. Do not have all your emergency recovery email address be the same. This way if one email account gets compromised, the others are safe.
Use Two Factor Authentication if Available
8. Some e-mail providers support two factor authentication which requires users log in with both a password and a phrase generated on a smartphone, smartcard, or printed on a piece of paper. Gmail is a leading e-mail provider that supports this 2-factor authentication. Yahoo mail added 2-factor support at the end of 2011. A hacker who had your password could not log on without a second means of authentication. This is especially good for people that travel out of the country.
Two factor authentication system using SMS text messages is not secure, due to hijacking of mobile phone accounts and the weak SS7 routing system. We suggest only using two factor when you can use a physical token or a time based authenticator like Google’s.
Use 3G/4G connection instead of Public WiFi when checking Email
9. When accessing e-mail on a smartphone or tablet, using the built in 3G/4G connection is a lot safer than connecting via a local wireless internet hotspot. This warning applies to both apps and mobile internet browsers.
Don’t open suspicious links and/or attachments
10. To avoid falling victim to e-mail phishing, never click a link or open an attachment from an e-mail. This is especially true for online banks and online brokerages. Manually type the URL into your browser.
Spear Phishing is utilizing realistic looking e-mails with personalized information, possibly emanating from a known person to steal your login password, run a attachment that contains malware, or force you to visit a web page containing malware.
Fact: When a someone has more information about us, we are more likely to trust them. If your personal details leaked in a company’s data breach, criminals could use that information to craft emails that look more credible.
Opening Attachments Safely with Gmail
Forward the email with attachment to a Gmail account. From there, you can use Google Docs to open Word Processing, Spreadsheets, etc. No need to endanger your own computer.
Minimize your personal information on Facebook, Twitter, Instagram, etc. Also cleanse or set to Private your Amazon wishlists and eBay bidding history.
11. Spam unfortunately, remains a unfortunate element in e-mail. Leading e-mail providers are pretty good at fighting spam, but no one is perfect. Unintended consequences include good mail ending up in a spam folder. Be very careful when accessing the spam folder as many a penetration has been enabled when workers accidentally click on links within spam folder e-mails that look legitimate.
Don’t Display HTML
12. For maximum security set your e-mail provider’s configuration to not display HTML when displaying e-mail. A less secure setting is to allow HTML but not to display images. This additional security tactic helps prevent rogue pages from being displayed within e-mail. (Windows Live Hotmail does not allow you to control this.)
We suggest these settings for Gmail:
- Select Mail Settings from the Gear Icon in the upper right corner
- In the General Tab, next to External Content: Select Ask before displaying external content
Use SSL to access Mail Servers
13. It is important that email accounts accessed from a smartphone are setup utilizing encryption when available. Many email providers including Google’s Gmail, Microsoft Exchange, MobileMe, AOL Mail and Yahoo Mail support SSL (secure sockets layer) when accessing their mail servers. If SSL is not used, your emails as well as your password can be read by hackers.
To enable SSL with Yahoo Mail (not enabled by default) follow these steps:
- Login to your Yahoo Mail account
- Click the Gear icon on the upper-right corner
- Select “Mail Options“
- Click General on the Left, Under Mail Options
- Check the Box next to “Turn on SSL“
- Click Save at the top of the screen.
14. If you have applications other than your web browser accessing your E-mail IE. A desktop mail client suck as Windows Live Mail, Outlook, or Mail.app, make sure you enable SSL secure connections within each application. Here is a tutorial on using Gmail with Windows Live Mail.
Be careful of Short URLs
16. If you encounter phishing emails you can forward them to:
- Internet Crime Complaint Center
- Anti-Phishing Working Group
- Stay Safe Online has spam reporting information on the top 10 ISPs
Check to see if any Email addresses have been compromised
17. There are databases of email addresses that have been compromised. If you are listed, immediately change all your passwords connected to that email account.
18. Someday phishing will hopefully fade in volume. DMARC.org which stands for “Domain-based Message Authentication, Reporting & Conformance” may help reduce the volume of problematic emails.
Encrypt the contents of Email
19. Email uses an insecure SMTP protocol to send data between servers. All the data sent is unencrypted. This factor has nothing to do with using SSL to connect your email provider. You need to use tools like PGP (pretty good privacy) to encrypt the contents of your emails to ensure privacy. Never send a password in email.
Next to clicking a link in an email, clicking an attachment is the second most dangerous way to get infected.
Block attachments in your email client.
Gmail automatically blocks:
.ADE, .ADP, .BAT, .CHM, .CMD, .COM, .CPL, .EXE, .HTA, .INS, .ISP, .JAR, .JSE, .LIB, .LNK, .MDE, .MSC, .MSP, .MST, .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF, .WSH
We recommend you supplement this by blocking these file types that are not used very often any more. Select Create a new filter from Filters and Blocked Addresss
Things Not To Do
1. Do not access your e-mail from public wifi hot spots unprotected or cyber cafes. Many of these locations provide little to no security and are prone to snooping or malware.
2. Always log out web-based e-mail account, do not simply close the browser.
3. Do not have a single email address where everything goes. If everything is linked together, you entire security chain can get compromised with one break in.