Email is the #1 target for hackers. Here’s how to secure email for your business

Email is the primary attack vector for hacking and fraud, and the situation is only getting worse. From 2017 to 2018, email-based attacks on businesses increased 476%, according to the most recent threat survey by the cybersecurity firm Proofpoint. The FBI reports there are around 14,000 email scams each year worldwide, costing companies $12 billion. And most small businesses don’t believe they could remain profitable if they lost their data.

There are several reasons hackers target email so often:

  • They work — human error is an unpatchable weakness in any security plan, and email is a perfect medium to exploit people.
  • They store lots of data — your email account is a trove of sensitive data, including financial information, contacts, and information that can be used in social engineering schemes.
  • Email is ubiquitous — everyone uses email, making the number of potential targets in a single organization as large as the payroll.
  • Email is identity — your email account is used to verify your identity, email addresses are often usernames, and a successful account takeover is an entrypoint to further attacks.

Given the stakes, secure email practices must be a priority for your organization. Based on what we know about attacks, implementing this advice can reduce your exposure to email attacks.

Train employees on common attacks

It’s important to create a culture of security awareness in your organization, and email security should be at the top of the list. There are a few areas you should cover:


Phishing attacks attempt to trick victims into clicking on links or downloading attachments in emails that appear to be legitimate. A lot of times, phishing emails are obviously fake. But sophisticated ones might spoof the “from” address to look like an official sender and design the email in a convincing way.

For example, the phishing email that exposed Hillary Clinton’s campaign emails looked like this:

example of a phishing attack

When her campaign manager clicked the “change password” button, it took him to a page operated by the hackers, where he proceeded to enter the login to his Gmail account. Other kinds of phishing attacks might result in malware or ransomware being installed on your device or network.

You can prevent phishing attacks by training your employees to be vigilant. As a general rule, they should never click on links or download attachments in unexpected emails without first verifying their legitimacy. ProtonMail provides a number of anti-phishing features, such as report phishing, anti-spoofing, and DMARC protection. If you receive an unexpected email alert from an online service you use, it’s always better to go to the website and log in to your account there, rather than clicking the link in the email.


The FBI report cited above focuses on another kind of email attack: scams. You’re surely familiar with the emails from strangers hoping to send you millions of dollars, provided you cover their wire fees up front. Businesses are often the target of more sophisticated scams that use social engineering.

One common tactic is to spoof a manager’s email address (or actually take over that person’s account) and send an “urgent” message to a lower-level employee asking for a quick transfer to a client. Or they might fake an invoice from a plausible vendor.

Employees should be trained to be skeptical of any emails requesting money transfers or sensitive personal or business data. If there’s any doubt, reach out to a manager or IT contact in the company.

Require two-factor authentication (2FA)

Every employee in your organization should use two-factor authentication in any online account that offers it. With 2FA enabled, after entering their username and password, a person then also has to enter a code from a fob or an authenticator app installed on their mobile device. (Email and SMS codes are also common, though these are less secure. Hardware authenticators are most secure). If Hillary Clinton’s campaign manager had 2FA enabled on his Gmail account, the hackers would not have been able to access his account unless they also had control of his smartphone.

Enforce password security

Using a strong, unique password is the first line of defense for all your organization’s accounts and devices, including email. We have previously offered our recommendations for choosing strong passwords, but there are two main points:

  • Use a different password for each online account.
  • The longer and more random your password is, the more secure it is.

There is no reason to ask employees to reset their passwords periodically or to require the use of certain kinds of characters. It’s much more important to ensure they are choosing a strong, memorable password or using a trustworthy password manager to help them do it.

Use encrypted email

Some email providers are more secure than others. If you are using an email service that does not use end-to-end encryption, then there is a possibility that a data breach will expose your organization’s emails. For certain organizations, this can also increase your liability for penalties under HIPAA and the GDPR.

Unlike Gmail and other mainstream providers, ProtonMail does not have the ability to decrypt users’ emails and neither do hackers. The only way someone could access messages sent between ProtonMail accounts would be to compromise the end-user or stage an elaborate man-in-the-middle attack. We have also taken measures, such as Encrypted Contacts and Address Verification, to drastically reduce the possibility of one of these attacks succeeding.

Reduce your attack surface

Every email address is an opportunity for an attacker. So if you reduce the number of employees with publicly available email addresses, you can reduce your potential attacker’s options. You should only list essential employee names and contacts on your organization’s website. You can also consider using non-obvious email formulations that are difficult to guess. For example, instead of, you could use

ProtonMail is committed to providing the most secure email service possible for businesses. Over 10 million users, including thousands of organizations, governments, and small businesses, depend on us to keep their data safe. Learn more about ProtonMail for business.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Ben Wolford

Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

5 comments on “Email is the #1 target for hackers. Here’s how to secure email for your business

  • I like the concept of ProtonMail but there are a couple of thing that I dislike . Possibly you’ve already addressed them, or maybe the paid version is more configurable. One is trying to delete mails manually is a pain. They are I saved in several folders. So I usually go to All Mail and delete there, but every time I delete an email another copy instantly pops up. Additionally, if I press and hold on each email in that folder a little check box shows next to the individual emails which I then check to do a mass deletion then I click the trash can. But no, the mails are not deleted. It paradoxical that deleting emails from this program should be harder than from conventional programs.

    The second complaint is the ugly black and white interface. The color I would thin has nothing to do with security so why not spiff it up a bit?

    Thank you.

    • The All Mail section contains all the emails that are in your Mailbox. When you delete certain emails from this section, they can still be found in the Trash folder. Our interface will also be improved with version 4.0 that will be released in the near future. Stay tuned 😉

  • Is there malware that if I click on a link will enable the hacker to upload software to my computer to do real time spying? Such as go through all my contacts and documents and even alert them as to when I get on or off my computer?

    Boy, now that I ask it I feel stupid. The answer has got to be yes, right?

    I appreciate you all and would love to see guidance on how to conform to a more blockchain based or decentralized environment where it may be many times more difficult for hackers to invade.

  • Can you develop an Apple Watch Mail app? Right now I can see that I got an email, but I have to go to my phone and open the Protonmail app to read or answer it.