ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Beginner's Guide to Email Security - Everything you need to know

The internet is filled with hackers constantly attempting to defraud people of money and data. Email accounts are one of the most common attack vectors exploited by those cybercriminals.

Each year, millions of people worldwide suffer at the hands of hackers – either because their email account is penetrated – or because they receive a malicious email.

In this guide, we will pinpoint several important steps all internet users should take to improve their email security and reduce the opportunities of being victimized by hackers.


What is Email Security?

Email security can be separated into two distinct categories. Both are hugely important to ensure good email security, but each differs in how they provide security.

Email Security Protocols

Email Security Protocols revolve around using encryption and security protocols to protect emails against eavesdroppers and spamming via spoofing from a domain. This kind of security is extremely important to ensure the integrity of your emails and your email domain. 

Operational Security best practices

These ensure that your email account, and any devices you access that email account from, are safe against cybercriminals. These practices prevent you from being victimized by phishing and malware – so no unwanted third parties can gain access to your email account. Ultimately, this stops them seeing the contents of your emails and gaining access to any online accounts and services attached to the email address.

Email Security Best Practices

Following the tips below can vastly improve your email security, and will prevent you from a variety of threats:

Use a strong password

The most important thing to ensure your email account is secure against hackers is to use a strong password.

A robust password should be more than 12 characters in length, and it should contain numbers, symbols, and both upper and lower case letters. It should never contain any words that are easy to guess – or any information that is personal to you (because it could be penetrated using social engineering).

A strong password must also be completely unique, which means that you should have never used it for any other account or service. This ensures that if any of your third-party account is penetrated – the hacker does not also have access to your email account.

To ensure that all your accounts have strong, unique passwords, we recommend using a secure password manager. This will allow you to set highly secure passwords for each account without needing to remember them all.

A password manager allows you to leverage highly complex, unique passwords – without the need to look them up in an insecure password diary (which could fall into the wrong hands). 

Enable Two Factor Authentication

Two Factor Authentication (2FA) ensures that anybody attempting to hack your account requires more than just your password. 2FA improves your security by requiring a code from a physical device to be entered for added security.

Without this secondary authentication code, which can only be accessed by the individual with physical access to the 2FA device (usually a smartphone or tablet) – it is impossible to log into the email account. 

2FA is an easy way to improve your security by ensuring that a password alone will not allow a hacker to access your email account. However, 2FA should never be considered a reason to have a weak password. Thus, we recommend using a strong, unique password and 2FA. 

Options for 2FA include:

Check the sender address

Unfortunately, when you receive an email, there is always the chance that it has been sent by a cybercriminal. Hackers send malicious emails in an attempt to make victims follow dodgy links that lead to phishing websites, or that trick them into visiting cloned websites designed to defraud them of their money, for example. 

Knowing which emails are legitimate and which are a scam can be extremely tricky, which is why it is essential to be wary of every single email you receive. The first thing to consider is who an email is from.

By checking the sender's address you may be able to tell that the sender is not who they claim to be, so look closely and do some research to find out if it is a legitimate email address.

Consider the contents of the email

The second thing to consider is what the email says. If the email attempts to make you do something – such as to follow a link or download an attachment – this could be a sign that it is from a cybercriminal.

The important thing to remember is that scammers and hackers usually attempt to leverage your emotions against you. This can be fear or excitement – depending on how the scammer is attempting to trick you.

This is why you should always be wary of emails that advertise impossibly cheap deals, or that inform you that you have won a competition. Below, we have included a list of the kinds of scam emails you need to be wary of.

  • Emails that inform you of winning a competition.
  • Emails containing offers and deals that are too good to be true.
  • Emails from shopping services that warn you of a purchase you never made.
  • Emails that contain information regarding your job or topics that interest you (spear phishing).
  • Emails that tell inform you of a need to secure your device or account by seeking help (usually by following a link or installing a program).
  • Any emails that encourage you to follow a link. Always visit a website in your browser yourself without clicking the link in an email to ensure you arrive at the genuine site.
  • Emails that encourage you to download an attachment (this will usually be malware).
  • Emails that trick you into replying with your sensitive personal information.
  • Emails that trick you into replying with your payment information to settle a false outstanding bill.
  • Fake emails from government authorities and agencies designed to steal your information (either by replying directly or following a link).
  • Emails that claim to be from an attractive member of the opposite sex (relationship scams).

Sending emails with malicious links is the primary way that scammers forward victims to malevolent websites designed to infect them with malware or phish their data. 

In order to protect yourself against these kinds of attacks, we recommend that you never follow the links contained within emails; particularly any suspicious, unsolicited emails that arrive in your inbox.

By refusing to click links, you can avoid visiting malware-infected websites and malevolent sites set up by criminals to steal your data.

If you receive an email that you believe to be from a legitimate source (such as from a service like Amazon or eBay, for example), we recommend visiting that service in your browser without following the links in the email. This will prevent you from being tricked by legitimate-looking scam emails.

Don't download email attachments

By clicking on any downloads and attachments contained within emails, you could potentially give a hacker complete access to your device. As a result, they could steal your personal information, or even use a Trojan to gain root access – allowing them to spy on you using your microphone or camera.

This kind of data theft can lead to identity theft and fraud, which is why it is so important to prevent all malware infections. As a result, it is essential to always consider who an email is from and to verify that an attachment is safe before downloading it.

We also recommend using an antivirus with real-time scanning protection, so that any potentially malicious files are singled out before you get the chance to download them accidentally.  

Get an account with a secure email provider

In addition to following the best practice security habits listed above, it is a good idea to encrypt your emails if you want to ensure that their contents are completely private and secure. 

Email providers like Google and Microsoft are known to scrape consumer emails for data for marketing purposes. This means that anyone who truly wants email privacy should get a subscription with a private email provider that promises never to access the content of emails. 

That said, the only way to guarantee that only the sender and recipient of an email can access the content of an email is to ensure that they are encrypted end-to-end using a secure protocol such as OpenPGP. This will protect emails against hackers – and interception by government agencies, for example.

To find a secure email service that provides strong encryption for emails, be sure to visit our secure email provider reviews

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

StartMail is a Netherlands based secure email provider, offering 10Gb of storage, unlimited aliases and more.

A straightforward encryption service, with some cracking features, that lets you try before you buy - no credit card details required