Email Security Tips Everyone Should Follow

Email is the front door to your online life. Your bank, your social media accounts, your subscriptions, your work accounts, and your personal communications all route through your email. If someone gains access to your email, they can reset passwords on virtually every other account you own. Protecting your email is not optional.

The good news is that the most effective email security measures are simple habits that take minutes to set up.

Here are the ones that matter most.

Enable Two-Factor Authentication

Two-factor authentication (2FA) adds a second step to logging into your email. After entering your password, you also enter a code from an authenticator app on your phone, or you confirm the login through a push notification. Even if someone steals your password, they cannot access your account without the second factor.

Gmail, Outlook, Yahoo, and every other major email provider supports 2FA.

Turn it on today if you have not already. Go to your email account's security settings and look for two-step verification or two-factor authentication. Follow the setup process, which typically involves scanning a QR code with an authenticator app like Google Authenticator or Authy.

An authenticator app is more secure than receiving codes by text message, because SMS messages can be intercepted through SIM-swapping attacks.

Use an authenticator app as your primary 2FA method and keep SMS as a backup if the option is available.

Recognizing Phishing Emails

Phishing is the most common email threat. A phishing email pretends to be from a legitimate company or person and tries to trick you into clicking a malicious link, downloading an infected attachment, or entering your credentials on a fake website.

Common phishing indicators include messages that create urgency ("Your account will be suspended in 24 hours"), requests to verify personal information, generic greetings instead of your actual name, misspelled sender addresses (like "[email protected]" with a zero), and links that do not match the supposed sender.

Before clicking any link in an email, hover over it (without clicking) to see the actual URL it points to. If the link says it goes to your bank but the URL shows a completely different domain, it is a phishing attempt. When in doubt, do not click the link. Instead, open your browser and go directly to the company's website by typing the address yourself.

Use Strong, Unique Passwords

Your email password should be different from every other password you use.

If you reuse the same password across multiple sites and one of those sites gets breached, attackers will try that password on your email account. This is called credential stuffing, and it works because people reuse passwords constantly.

A strong password is at least 12 characters long and includes a mix of letters, numbers, and symbols. Better yet, use a passphrase: a string of random words like "correct horse battery staple" that is long and memorable but hard to guess.

The length of the password matters more than its complexity.

Use a password manager like Bitwarden (free), 1Password, or the built-in password managers in Chrome, Safari, or Edge. A password manager generates and stores unique passwords for every site, so you only need to remember one master password. This eliminates the temptation to reuse passwords across accounts.

Be Careful with Attachments

Email attachments are a common delivery method for malware.

Files with extensions like .exe, .bat, .scr, .zip, and .js can contain malicious code that runs when you open them. Even seemingly harmless files like Word documents (.doc, .docx) and Excel files (.xls, .xlsx) can contain embedded macros that execute malicious code.

Never open an attachment you were not expecting, even if it appears to come from someone you know. If a colleague sends you a file out of the blue with no context or explanation, verify with them through a separate channel (phone call, text message, or in-person) before opening it.

Their email may have been compromised.

If you must open an attachment from an unknown source, scan it with your antivirus software first. Most antivirus programs let you right-click a file and scan it before opening. Some email providers like Gmail scan attachments automatically, but relying solely on automated scanning is not sufficient for high-risk files.

Check Your Account Activity

Most email providers let you see recent login activity on your account. In Gmail, scroll to the bottom of your inbox and click "Details" under "Last account activity." This shows you every device and location that has accessed your account recently.

If you see a login from a location or device you do not recognize, change your password immediately and review your 2FA settings. Someone may have gained access to your account. Also check your email forwarding rules and filters, as attackers sometimes set up forwarding rules that silently copy all your incoming email to an external address.

Avoid Public Wi-Fi for Email

Public Wi-Fi networks at coffee shops, airports, and hotels are not secure. Traffic on these networks can potentially be intercepted by others on the same network. If you must check email on public Wi-Fi, use a VPN (virtual private network) to encrypt your connection, or use your phone's cellular data instead.

Most modern email services use encrypted connections (HTTPS) by default, which provides a layer of protection even on insecure networks. But a VPN adds an additional layer of encryption that protects all your internet traffic, not just email.

The Minimum Everyone Should Do

If you take away just three things from this article: enable two-factor authentication on your email account, use a unique password that you do not use anywhere else, and pause before clicking links or opening attachments. These three habits prevent the vast majority of email-based attacks and take less than 10 minutes to implement.