Skip to content

Five tips for avoiding self-inflicted email security breaches

August 25, 2010

  • Date: August 20th, 2010
  • Author: Chad Perrin

Email security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of email security is ensuring you don’t shoot yourself in the foot.


In my article Basic e-mail security tips, I discussed five steps everyone should employ to secure their email, regardless of the client they use. Here are five more recommendations. These tips focus on the ways users break their own security rather than on protecting against the predations of malicious security crackers. Security can be violated through careless acts more easily than by outside forces.

Note: These tips are based on an entry in our IT Security blog.

1: Turn off automated addressing features

As communication software accumulates more and more automated convenience features, we’ll see more and more cases of accidentally selecting the wrong recipients. A prime example is Microsoft Outlook’s “dreaded auto-fill feature,” where it is all too easy to accidentally select a recipient adjacent to your intended recipient in the drop-down list. This can be particularly problematic when discussing private matters, such as business secrets.

2: Use BCC when sending to multiple recipients

It’s a bad idea, from a security perspective, to share email addresses with people who have no need for them. It is also rude to share someone’s email address with strangers without permission. Every time you send out an email to multiple recipients with all the recipients’ names in the To: or CC: fields, you’re sharing all those email addresses with all the recipients. Email addresses that are not explicitly meant to be shared with the entire world should, in emails addressed to multiple recipients, be specified in the BCC: field. Each person will then be able to see that he or she is a recipient but will not be able to see the email addresses of anyone else in the BCC: field.

3: Save emails only in a safe place

No amount of encryption for sent emails will protect your privacy effectively if, after receiving and decrypting an email, you then store it in plain text on a machine to which other people have access. Sarah Palin found out the hard way that Webmail providers don’t do as good a job of ensuring stored email privacy as we might like. Many users’ personal computers are not exactly set up with security in mind, as in the case of someone whose Windows home directory is set up as a CIFS share with a weak password.

4: Use private accounts for private emails

Any email you share with the world is likely to get targeted by spammers — both for purposes of sending mail to it and spoofing that email address in the From: field of the email headers. The more spammers and phishers spoof your email address that way, the more likely your email address is to end up on spam blocker blacklists used by ISPs and lazy mail server sysadmins —  and the more likely you are to have problems with your emails not getting to their intended recipients.

5: Double-check the recipient, every time — especially on mailing lists

Accidentally replying directly to someone who sent an email to a mailing list, when you meant to reply to the list, isn’t a huge security issue. It can be kind of inconvenient, though, especially when you might never notice your email didn’t actually get to the mailing list. The converse, however, can be a real problem: If you accidentally send something to the list that was intended strictly for a specific individual, you may end up publicly saying something embarrassing or worse, accidentally divulging secrets to hundreds of people you don’t even know.

One Comment leave one →
  1. August 25, 2010 9:47 pm

    Excellent advice! One tip I would like to add, is using a separate email account just for financials. This keeps the email address out of circulation and out of hacker’s hands in case other people’s email accounts are hacked.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: