ProtonBlog(new window)
Subscribe by RSS
What is email security?

What is email security?

Harry Bone(new window)

Share this page

Learn about email security and simple ways to secure your mailbox against cyberthreats.

From intimate letters to purchase receipts, financial information to doctor’s notes, our mailboxes are a trove of personal information. You don’t want to share all that with strangers, least of all criminals.

Yet email remains one of the main ways cybercriminals target individuals and organizations worldwide. In the US alone, thousands fall victim(new window) to email-based cyberattacks like phishing(new window) or ransomware(new window) every year, often leading to identity theft(new window), credit card fraud, and other crimes.

That’s why securing your email is vital for work or play. We explain email security, types of email attacks, and 10 simple ways to secure your mailbox.

Email security definition
How secure is email?
Types of email attacks
Why email security matters
10 tips to secure your email
Final thoughts

Create a free Proton Account button

Email security definition

Email security means taking measures to secure the contents of emails and protect individuals and organizations from common email-based cyberattacks.

That means protecting your inbox from malicious hackers, preventing phishing attacks and spam(new window), blocking malware(new window), and using encryption to prevent others from accessing your email.

However, email was never designed to be secure or private, and most email services don’t ensure your emails are safe all the time.

How secure is email?

Most big email providers, like Gmail and Outlook, use encryption to secure your emails. They use:

But TLS only works if the recipient’s email server also uses TLS. As Microsoft explains about Outlook(new window), “the message might not stay encrypted after the message reaches the recipient’s email provider. In other words, TLS encrypts the connection, not the message.”

In addition, providers like Gmail and Outlook retain the encryption keys to the emails stored on their servers. So they can decrypt them and share them with third parties, like advertisers and governments. And if your email provider suffers a data breach(new window), a hacker could access the keys to decrypt your data, as breaches at Yahoo(new window) and Microsoft(new window) have shown.

The only way to secure your emails from third parties is to use end-to-end encryption(new window), as we do at Proton Mail. With Proton Mail, when you write to someone else on Proton Mail, your message is automatically encrypted on your device before it passes over the internet. Only the recipient has the key to convert the text back into a readable message on their device.

And if you want to write an end-to-end encrypted message to someone who isn’t on Proton Mail, you can send a Password-protected Email.

Proton Mail also uses zero-access encryption(new window) to store emails. That means we immediately encrypt any unencrypted messages you receive from services like Gmail. No one but you has the private key to decrypt them, not even Proton.

Get Proton Mail button

Apart from the direct threat to your data outlined above, cybercriminals can manipulate or exploit various components of emails, such as:

  • Sender (From and Reply-To addresses) and display name: Cybercriminals can “spoof”(new window) (forge) the sender’s name and address so you think the email is from someone you trust.
  • Subject line and body text: Fraudsters can design subject lines and messages to trick you into taking damaging action, like divulging personal details.
  • URLs and attachments: Emails can contain links or attachments that look legitimate but might lead to malicious websites or trigger malware downloads.
  • Email headers: Cybercriminals can manipulate email headers(new window) to cover their tracks and make emails look more legitimate.
  • Email trackers: Emails can contain spy pixels(new window), typically single-pixel images that track you or hide or distract from malicious content in the message, or tracking links(new window) that monitor how you interact with it.

Cybercriminals can exploit these email components to launch various kinds of attacks.

Types of email attacks

Here are some common ways malicious actors may access or otherwise exploit your email account.

Malware

Malware(new window), or malicious software, is any file or piece of code designed to harm or gain unauthorized access to a computer or computer network, including your smartphone or tablet. Common types of malware include viruses(new window), worms, Trojans, adware, spyware, and ransomware(new window). Email is commonly used to spread malware through phishing attacks.

Types of malware which can threaten email security

Phishing

One of the greatest threats to email, phishing(new window) is when attackers send you a fake message to trick you. The message appears to be from a legitimate source, like your bank or a popular service like PayPal or Facebook. But the aim is to trick you into revealing sensitive information (like login or credit card details) or downloading malware on your device.

Spoofing

Email spoofing(new window) is when bad actors forge or “spoof” an email address, for example, the sender’s address in the From field, to make a message look like it comes from someone you trust. Commonly used for phishing and business email compromise(new window), spoofed emails try to trick you into revealing sensitive information or clicking on a malicious attachment.

Spam

Spam email(new window) is any unsolicited and unwanted messages sent out in bulk by email, typically for commercial purposes. While spam emails may be legitimate ads, scammers may use them to launch phishing attacks and distribute malware.

Account takeover

Using the methods above, scammers may steal your email account username and password to gain access to your account. Or they may crack your password with a brute force attack(new window) or buy your username and password on the dark web(new window) if your email login details are leaked(new window). Once inside, they can monitor your messages, steal more personal information, or use your address to launch malware attacks and spam to your contacts.

Man-in-the-middle attacks

A man-in-the-middle attack(new window) is where an attacker manipulates an email as it’s being sent from the sender to the recipient without their knowledge. By intercepting emails in transit, attackers can eavesdrop on the communication or alter the content of the emails.

Why email security matters

Securing your email account is not just about keeping the intimate details of your life to yourself. As email is one of the main vectors for cyberattacks, ignoring your email security could have devastating consequences.

In July 2022, some home buyers in Charlotte, North Carolina, received a message from a realtor to wire $400,000 for an escrow payment. But after they sent the money, they realized the email was spoofed. The message was from a fraudster.

Luckily, they managed to stop the payment in time, the FBI reported(new window). Others have not been so lucky.

Thousands of businesses in the US are hit by business email compromise(new window) every year, resulting in losses of around $50 billion worldwide over the last decade. If you run a business, taking steps to secure your email is critical to:

  • Avoid financial and sensitive data loss
  • Comply with data privacy(new window) regulations
  • Maintain your reputation and the trust of customers
  • Ensure business continuity if you’re hit by a cyberattack

In short, securing your email is critical for anyone who has an email account, whether for work or personal use.

10 tips to secure your email

Here are ten best practices to keep your email account secure.

1. Use end-to-end encryption

Switch to an end-to-end encrypted email service, like Proton Mail. With Proton Mail, you can automatically send end-to-end encrypted messages to others on Proton Mail or send Password-protected Emails to non-Proton users. No one but you and your intended recipients can read them, not even Proton.

2. Use a strong password and password manager

Make sure you use strong, unique passwords(new window) for your email and other online accounts. To help you generate unique, strong passwords and store them securely, get a good open-source password manager like Proton Pass.

3. Enable two-factor authentication (2FA)

By enabling 2FA(new window), you can protect your email account if your password is lost through a data breach or phishing. If you use Proton Mail, you can set up 2FA with an authenticator app and/or U2F security keys.

4. Beware of phishing

Learn how to spot signs of phishing(new window) and avoid clicking on suspicious links or downloading attachments in emails from unknown senders. Switch to a secure email provider like Proton Mail, which has PhishGuard advanced phishing protection to flag potential attacks.

5. Block spam with filters

Don’t open spam emails(new window) or respond to them, especially if you suspect phishing. Delete them. Secure email providers like Proton Mail automatically filter out spam, and you can use spam and block lists to customize filters or block a sender in a few clicks.

6. Protect your email with aliases

By using an email alias(new window), random email addresses that forward messages to your main inbox, you can hide your personal email address. Use Proton Pass hide-my-email aliases to create accounts online and protect your real email address from being disclosed or leaked.

7. Use email authentication

If you have your own email domain (for example, you@yourdomain.com), implementing email authentication methods like SPF(new window), DKIM(new window), and DMARC(new window) is vital to protect your domain from spoofing(new window) and improve deliverability. If you’re on a Proton Mail paid plan, you can set up your custom domain and SPF, DKIM, and DMARC with a simple wizard.

8. Block email tracking

Emails can contain spy pixels(new window), which can send sensitive information back to the sender when you open them, or tracking links(new window). Block spy pixels by stopping images from loading automatically, or switch to Proton Mail, which blocks spy pixels and known tracking links by default.

9. Get good antivirus software

Install good antivirus or internet security software, which includes spam filters to block potential phishing emails and scans for all kinds of malware. Make sure it’s updated with the latest virus/malware definitions.

10. Keep your devices updated

Set your computer or phone operating systems, emails clients(new window), and other apps to update automatically so that you always have the latest versions with security patches. Malware delivered by phishing emails or other means can exploit vulnerabilities in operating systems and other software.

Final thoughts

Email security is vital to protect your sensitive information, defend against cyberthreats, and protect your privacy online.

Follow the simple tips above to keep your email secure and private, and spread the word among family and friends. If you run a business, train your team about the dangers of phishing and other basic email security.

An easy first step to secure your email is to switch to end-to-end encrypted Proton Mail or Proton for Business if you need email for work.

With end-to-end encrypted Proton Mail, Proton Calendar, Proton Drive, Proton VPN(new window), and Proton Pass, no one but you can access your data. Not even Proton. 

Proton Mail also features automated anti-abuse and account security(new window) and Proton Sentinel(new window), an advanced high-security program for those who need maximum account protection and support. So join us, and stay secure!

Secure your emails, protect your privacy
Get Proton Mail free

Related articles

Secure, seamless communication is the foundation of every business. As more organizations secure their data with Proton, we’ve dramatically expanded our ecosystem with new products and services, from our password manager to Dark Web Monitoring for cr
what is a brute force attack
On the subject of cybersecurity, one term that often comes up is brute force attack. A brute force attack is any attack that doesn’t rely on finesse, but instead uses raw computing power to crack security or even the underlying encryption. In this a
Section 702 of the Foreign Intelligence Surveillance Act has become notorious as the legal justification allowing federal agencies like the NSA, CIA, and FBI to perform warrantless wiretaps, which sweep up the data of hundreds of thousands of US citi
In response to the growing number of data breaches, Proton Mail offers a feature to paid subscribers called Dark Web Monitoring. Our system checks if your credentials or other data have been leaked to illegal marketplaces and alerts you if so. Often
Your email address is your online identity, and you share it whenever you create a new account for an online service. While this offers convenience, it also leaves your identity exposed if hackers manage to breach the services you use. Data breaches
proton pass f-droid
Our mission at Proton is to help usher in an internet that protects your privacy by default, secures your data, and gives you the freedom of choice. Today we’re taking another step in this direction with the launch of our open source password manage