My first electronic mail account was established in 1983. The first piece of advice I received about email came in 1986: “Never write anything in an email you wouldn’t mail on a postcard.” Sadly, that advice still applies thirty-six years later.
Email is inherently insecure, a byproduct of the old free-and-open Internet. The bad guys know how vulnerable the average email account is and take full advantage of those weaknesses to break into your account. Once they do that, they can send spam to thousands of other addresses, access files in your inbox, and install malware on your computer. But there are ways you can protect yourself.
The first and best thing you can do is to have a secure and unique password for every email account. Secure means at least 16 characters, and the most secure have no English words – just random letters (upper and lower-case), numbers and symbols. Let your web browser or password management app generate such a complex password for you. If you have more than one email account, don’t use the same password for them. That way, if one account gets breached, the others are still secure. This really applies to ALL passwords – the worst thing you can do is duplicate one password on different sites and/or accounts.
The second line of defense is two-factor authentication. This is in addition to your password. Once you enter your email ID and password, you’re prompted to enter a one-time code (usually 5 to 6 numbers) that come as a text message or is generated by a smartphone app. So if your email ID and password have been breached, the attacker still can’t get into your account as they need physical access to your phone to get the two-factor code.
Encryption on computers has been around for decades now. Should you switch to encrypted email? The short answer is no. Several businesses offer this—some are free, some charge. While your email may be encrypted on the provider’s server, unless it’s going to another encrypted email provider, it’s going to be readable while it moves across the Internet and once it gets to the recipient’s inbox. Using encrypted email requires BOTH sender and receiver to opt in to using it, otherwise it’s of little value. As most of us send and receive email from many different email providers, this tactic won’t help you keep things secure.
And when you’re using email, always be on the lookout for phishing messages. These try to trick you into going to a malicious web site, entering your user ID and password, which they then use to breach your account. What are the warning signs? Warnings of imminent account termination, request to “validate” your credentials, and (the latest scam) a bogus invoice. Never click on a link in an email if you weren’t expecting it. Your bank or credit card company already knows your ID and password – they don’t need you to enter it again. Only the bad guys need that.
Email—useful tool and privacy concern. Don’t let the latter overrule the former.