Email security

by John Bandler

Here is a quick definition of the term and explanation of cybersecurity best practices.

Email security definition in sum

Email security is a broad term that encompasses a wide range of configurations, practices, knowledge, and awareness to protect against cybercrime, have good cybersecurity and good management of information.

Email security is an essential part of cybersecurity and cybercrime protection for individuals and organizations. Here are some quick tips to secure your email accounts (or those of your organization). Links are below to other articles which have more information about cybercrime, cybersecurity, and building a comprehensive program for cybersecurity and cybercrime prevention.

A comprehensive cybersecurity program is needed to achieve good email security. An on-ramp for this includes the Four Pillars of Cybersecurity.

Email security in perspective

Email is a critical method of communicating and storing information. Email services are often tied to other services (document storage, other cloud services, etc.) Confidential information may be stored within emails. Emails are used to initiate or confirm funds transfer instructions.

Email is used by criminals for a multitude of cybercrime attacks, including to impersonate others, steal funds, steal data, to launch other attacks, deliver spam and malicious links and attachments.

Each person and organization needs to make their own decisions about risk and cybersecurity. Here are some tips to improve your email security.

Email security best practices first priorities (Steps 1 and 2)

The two most important essential steps for securing and email account are:

1. Ensure the account has a strong, unique password.

  • A strong password means it would be hard for a person or computer program to guess. Longer is better.
  • A unique password means you don't use this password for any other account.

See link below for more about passwords.

2. Ensure two-factor authentication is enabled (also known as multi-factor authentication, 2FA, MFA, two-step authentication).

  • 2FA means access to the account requires two factors to prove who you are, a password (something you know) plus proof of something you have (your cell phone or a token) or proof of who you are (e.g. facial features).

Link below on more about 2FA, MFA.

Here are some other steps

3. Review the security and privacy settings for your email account

As available from your email provider (Google, Microsoft, Yahoo, etc.) check the security and privacy information and settings periodically. Learn a little more each time. See my Four Pillars of Cybersecurity with a focus on the "Data" pillar.

4. Review your computer device security

Review the security of your computer devices, such as smartphones, tablets, laptops, and desktops. These devices access your email (and a whole lot more). See my Four Pillars of Cybersecurity with a focus on the "Devices" pillar.

5. Repeat periodically

Cybersecurity is never "done". We review periodically and try to improve our knowledge and awareness and security and efficiency.

See my Four Pillars of Cybersecurity (link below) and remember that the first pillar is "Knowledge and Awareness" and we always need to improve upon that.

6. Think before you click, open, address, or send

Receiving an email? Think before you click on a link or open an attachment. Are there any indicators it is a phishing email or trying to get you go to a malicious website or open a malicious program (malware)? Check who sent it (the sending email address), be aware it might be a similarly looking email account, or even a hacked (compromised) account. Just because it displays as being from "John Doe" doesn't mean it really is "John Doe".

Sending an email? Double check who you are addressing it to. Don't assume the computer and it's autocomplete or suggestion can read your mind or magically send it to the right recipient. Again, just because the name displays as going to a person, doesn't mean that is their real or current email address.

Again, make sure the email you send is going to the right person, not an unintended recipient.

Before hitting "send", do a final proofread, check the the address lines (the actual email addresses it is going to), and also do a proofread for clarity and tone.

7. Create email distribution lists where warranted

Where warranted, create an email distribution list, and keep it updated, and check it periodically.

A little work and planning can save an embarrassing incident or even an incident that creates reporting requirements, loses business, or creates legal liability.

8. Check your contacts and autocomplete email addresses

If you have autocomplete email addresses that you will likely not need, or to people who would not be sympathetic to misaddressed confidential communications, delete them from the autocomplete.

9. Avoid using "bcc"

While "bcc" (blind carbon copy) has its uses and can save time, there are also drawbacks. A recipient on the "bcc" line might have difficulty realizing they were "bcc'd" and might deliberately or accidentally "reply-all", including the original recipients.

Another way to do it, is after you send the original email, simply forward it to the people you might have otherwise bcc'd.

10. Keep your email threads clean and with proper subjects and content

In other words, do not reply to that confidential email to ask if someone wants to go to lunch or to discuss an entirely unrelated issue. If you do that, you have just created an unnecessary copy of that confidential information in everyone's email boxes.

The harms of poor email security

If email security is poor, these are the bad things that can happen.

  • Data breach. Stored emails are accessed and stolen. Or confidential information is otherwise sent to unauthorized parties. This could lead to other harms and could be be a reportable data breach (see other article linked to below).
  • Email Based Funds Transfer Frauds. Your email account, or the information within it, can be used to commit a theft known as business email compromise (BEC) or CEO fraud, and other names (mine is Email Based Funds Transfer Frauds). See other article linked to below.
  • Loss of communication ability
  • Disruption
  • Embarrassment
  • Loss of business

The benefits of good email management

If you secure your email accounts well, and learn to manage them well, here are the benefits:

  • It also secures your other important information that may be stored in the same account (documents, contacts, calendar, tasks, notes, etc.)
  • It prevents all the bad things listed above
  • It allows you to communicate and work efficiently and effectively.

Steps in a short list (may be duplicative of the above)

Now I break all of the above into a shorter, punchier bullet list.

  • Use a strong, unique password
  • Employ two factor authentication (2FA, MFA)
  • Check email provider security and privacy settings periodically
  • Be aware of email-based funds transfer frauds. Train your employees about it
    • All payment instructions (funds transfer instructions) must be confirmed with a verbal conversation
    • All changes to payment instructions must also be confirmed verbally!
  • Know who you are emailing
    • Do you have the correct email address?
      • Many people have the same first name
      • Many email addresses may seem similar
      • Just because the email doesn't bounce doesn't mean it went to the intended recipient
      • Serious data leaks with legal repercussions can occur simply by emailing confidential information to the wrong recipient
      • Cybercriminals exploit compromised email accounts, and create new email accounts that are similar to existing accounts ("spoofed" email accounts)
    • If you have the correct email address, is there a possibility that the email account has been compromised ("hacked")?
      • This becomes critical when payment instructions are involved
  • Check the email addresses on the to, cc, and bcc lines before you hit "send"
  • Check any attachments before you hit "send"
  • Create email distribution lists as needed. A carefully created and updated email distribution list can be better than sifting through hundreds of contacts or autocomplete email addresses.
  • Go through your email autocomplete email addresses periodically
    • Purge (delete) any autocomplete email addresses you are unlikely to need

Related terms

This is (sort of) a key term definition article

I have decided to experiment by creating short webpages to provide definitions and best practices for certain key terms. This is one of those webpages.

These are terms that I have explained or defined dozens or even hundreds of times in my life, either through conversation or in writing. After explaining the term I try to explain best practices relating to those terms. These are terms or guidance that may appear in my cybersecurity policies.

This page is a little different, because it is a broader concept, so it got longer and more complicated.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform, you assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


Cybersecurity and technology is a life-long learning process. Start now and employ the important cybersecurity steps of a strong password and two-factor authentication. Look to the other steps and review periodically, to continually improve how you secure and use your email accounts and other technology.

If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at NOT YET (though not kept as up to date).

Originally posted 3/9/2023 (building on prior work), updated 11/04/2023.