Various productivity technologies have come and gone, but email is here to stay. Businesses still revolve around the inbox, and they probably always will. Scammers are aware of this, so they continue to find new ways of deceiving people into clicking links and opening attachments that will cause them to unwittingly expose business data or personal information.
One innocent mistake by your employees can cause millions of dollars of damage to your company. Here are 12 email security tips to help you and your colleagues stay safe.
Remember the basics.
It’s the most obvious of email security tips, but it’s worth repeating: don’t open emails from unknown senders. And if you accidentally do, don’t click any links or open any attachments—no matter how enticing—within the message.
One way to avoid opening unwanted emails is to make sure you’re going through your inbox in a “hygienic” way. Most of us log on in the morning and face an inbox cluttered with dozens of messages, most of which really aren’t that important and some of which are completely unwanted. Don’t sift through the stack by opening the first message and then clicking either Delete or Next within each message until you’re caught up. When you do this, you end up opening every message, even if only for a moment. And every time you open an unwanted message, you increase the chance you’ll accidentally click a dangerous link.
It’s much safer to assess your whole inbox at a glance and delete all unrecognized emails in one swoop. Your email program will provide a feature that lets you select multiple messages and then click ‘Delete’ to be rid of them.
Look carefully before you open.
Any email scammer can enter the name of your bank or insurance company as their own name in their email program. For example, when you see ‘XYZ National Bank’ as the sender name in your inbox, you’ll be tempted to open the email. Simply opening a message may not put you in danger, but it does put you one step closer to clicking a malicious link.
So, before you open that seemingly trustworthy email, look closely at a couple of things. First, put your mouse pointer over the sender’s name so that you can see the email address from which the message was actually sent. You may find that it came from an address you don’t recognize (example: firstname.lastname@example.org).
You should also examine the subject line. There’s usually a certain amount of professionalism in communications that come from a reputable company. Does the subject line contain typos? Bad grammar? Block capitals or excessive punctuation (example: ACCOUNT SUSPENDED!!)? These are dead giveaways that a scammer is targeting you.
Look carefully before you click.
Not every email scammer makes it so obvious. Some make their messages look just professional enough to get you to open them. For example, they may buy a domain name very similar to that of a real company so that when you mouse over the sender’s name, you won’t notice the difference (example: email@example.com instead of firstname.lastname@example.org). And their subject line may be believable. So you open the message.
Even after you’ve gone this far, don’t let your guard down. Examine the message. Do the graphics, layout, and fonts look right, or like a knockoff of the company you trust? If you notice any subtle differences, don’t click anything in the message. You don’t have to be a graphic designer to notice when the presentation is sloppy.
If you’re still not sure, mouse over the link they’re asking you to click. You should recognize the URL. If you’re at all unsure, don’t click. Instead, try calling the company or logging onto your online account to see if you can find more information.
Avoid sending confidential information in the clear.
It’s so easy to do: you need to send your social security number to your investment advisor as soon as possible. You figure, “What are the odds anything will happen?” You send your SSN in the clear.
Yes, there are millions of emails being sent at any moment and there isn’t a hacker on every network. But if you don’t get away with it, your identity could be stolen and your life ruined. It’s not worth the risk. Take the time to send that SSN securely.
Avoid sending confidential information in an attachment.
The previous tip was one of the more obvious email security tips. But you may not have considered the risk of sending sensitive data in an attachment. If a hacker gains access to your network, they’ll be able to read attachments as easily as they read the contents of an email message. So don’t be lured into a false sense of security just because your confidential information is in a PDF.
Use your work email account only for work.
Hackers don’t discriminate; they’ll be just as happy to steal valuable information from a business account as from a personal account. Most email security tips will tell you not to send sensitive business data from your personal account, and that’s good advice. But don’t forget that it’s also a bad idea to use your work email account for personal purposes.
If you subscribe to a fitness newsletter using your work account and the newsletter’s database is hacked, thieves can take not only your email address but also personal data that puts your security and that of your company at risk. There are enough risks out there for your business account, so don’t add to them by misusing your work account.
You can’t be too cautious with your work email account. Need to subscribe to industry publications? Consider using a separate personal email account to do so. Open a free account that you use exclusively for that purpose.
Never log into email on a public computer.
Many lists of email security tips don’t bother to include this one anymore because for most of us, it’s pretty hard to imagine a scenario in which we’ll forget to bring our phone and absolutely have to check our email at, say, a public library. But please remember that it’s just not worth it.
Public WiFi isn’t as safe as a secure network, so weigh your need to check email against the risk of losing information. If you just want to log on and read a newsletter while in line at the supermarket, that’s probably fine. But don’t read or send classified information.
Implement multi-factor authentication for your company’s email accounts.
Multi-factor authentication (MFA) requires everyone to provide at least a second form of authentication beyond a password to log into their email account. This second form is often a numerical code (such as those provided by Google Authenticator) or a biometric scan such as a fingerprint.
Requiring a second form of authentication may seem like a pain to recipients at first. But if you can enter one password, you can easily provide a second piece of information. And MFA is highly effective against hackers, which means the potential savings for your business are immense.
Enforce strong password requirements.
Many passwords are stolen because they’re guessable. That’s why so many online services require you to create strong passwords when you sign up. Just like MFA, using strong passwords can seem like a hassle at first. But remember that hackers want to take low-hanging fruit. If your employees’ passwords are long enough and weird enough, you’ll greatly reduce the chances that anyone will guess them.
The problem, of course, is that strong passwords are hard to remember because they contain seemingly random patterns of characters. Offer your employees tips on how to create memorable yet hard-to-guess passwords, and provide examples.
Suppose an employee has three children named Zack, Stella, and Adam. She could use Z, S, and A in her password, and the numbers 1, 2, and 3 to indicate the children’s order of birth. It’s also a good practice to combine capital and lowercase letters. A good starting point would be the password Z1s2a3. But that’s too short and doesn’t contain any special characters. If you hit Shift while typing 1, 2, and 3, you get !, @, and #. Sprinkle those into the password, and you have a password that will mean something to the employee but be utterly unguessable to a hacker: Z1!s2@a3#
When it comes to remembering passwords though, length is also better than complexity - so be sure to have your employees making passwords longer than 8 characters. Lastly, make sure to tell your employees that passwords should not be written down on paper and stored in the open - not on a sticky note, not in a notebook.
With all this said, sometimes a password manager can be the easiest route. Users are only required to remember one password (to login to the password manager itself - which also generally enforces MFA), and the manager can generate long, complex passwords for all accounts necessary.
Instruct employees not to re-use passwords from other email accounts on their work email accounts, or vice versa.
We hope your employees will use the password tip above to inspire a killer password for their work account. Remind them that this password should only be for their work account. It is not to be reused on social media, their bank account, or anywhere else. And they should never use outside passwords on their work account. When employees reuse passwords across email accounts or other accounts, they increase the risk that getting hacked in one account will enable hackers to steal their entire online identity.
Implement spam filters along with virus and malware scanning.
One of the email security tips that gets taken for granted is to install powerful protection. This practice isn’t exciting or cutting-edge, but it’s more important than ever.
Don’t think that strong passwords and vigilant employees can completely neutralize the threat of email scams and hackers. Many studies show human error to be the #1 cause of data breaches. Install powerful protection for your company so that even if an employee makes a mistake, they won’t be putting your business systems at risk. Spam filters aren’t perfect and never will be, but they can prevent many of the most obvious phishing attempts from ever reaching your employees’ inboxes. And antivirus or malware solutions can stop a bad download from wiping out entire servers.
Don’t click ‘Unsubscribe’ unless you’re sure you subscribed in the first place.
This is one of the most counterintuitive email security tips, so bear with us here. We all want to keep our inboxes tidy, so we’re conditioned to think that clicking ‘Unsubscribe’ on unwanted emails is always a good idea. Suppose you bought a product from an online retailer and signed up for their weekly newsletter in the process. After a few months, you realize you never have time to read the newsletter and you’re tired of deleting it. You can definitely click ‘Unsubscribe’ in this case.
But be careful not to unsubscribe from messages sent by senders you don’t recognize. Many are scammers who will use your unsubscribe request to confirm that you’re really at that email address. They will then attempt to scam you from other email addresses or sell your email address to other scammers, knowing that there’s a good chance you’ll receive and open messages in this account.
These Email Security Tips Are Just the Beginning
No list of email security tips would be complete without providing a solution for sharing sensitive data securely. Tired of taking risks by sending confidential documents as attachments? Need a highly secure cloud solution for storing,sharing and collaborating on business documents? Cocoon Data may be the answer. Why not give it a try?