20 Email Security Best Practices Every User and Business Needs to Know and Implement

For many organizations as well as individuals, email is the primary form of online communication. It’s free, reliable and easily accessible, which is why there are over 4.2 billion email users around the globe in 2022.

However, it is also very vulnerable to different online threats, including spam and phishing and to protect against them, here are 20 email security best practices every user needs to know and implement.

1. Use More Than One Email Account#

According to the Global Statistics in Account Takeover Fraud for 2023 by SEON, 22% of US adults have been a victim of account takeover (ATO) fraud. This includes email, social media, online banking and credit cards.

Email is often a target for different scammers, hackers and other bad actors, and they would like nothing more than to take over your account and use it for their personal benefit.

This is why it’s important to have several email accounts. That way, you can separate your business and personal communication, have a third one for social media, or sign up for websites and online shopping, etc.

2. Use a Different Password for Each Account#

An average US email address is connected to 130 online accounts, according to the 2020 Digital Guardian survey.

Naturally, all of these accounts require passwords and remembering more than 100 passwords is very tricky. This is why a lot of people are reusing the same password on multiple, non-sensitive accounts (49%) or use the same password on all their accounts (11%).

Obviously, this is a dream come true for hackers as you are giving them the same key for all your accounts, not just email. That way, even if the hacker manages to breach one of those passwords, only the account associated with it would be compromised.

3. Use Strong Passwords#

In a way, life was a lot easier before the Internet (yes, I am that old to remember some of that time). There just weren’t so many things competing for our attention like YouTube, social media, streaming services, online shopping, etc.

On top of all that, you also have to think about passwords. Well, one way to make life easier is to make your passwords easy to remember, right?


It takes only 2 seconds to brute force a 7-character (using upper-case and lower-case) password, as shown in this table by Hive Systems.

Compared to that, a 12-character password, that includes upper-case and lower-case letters, numbers and special symbols, takes 3,000 years to crack.

4. Don’t Give Out Your Email Password#

Of course, no password is truly secure if you’re just going to give it away to anyone.

You should never give out your email password, either directly, over email, or over the phone.

No reputable company will ever ask you for your account password so if you get a request like that, this is a scam 99.9% so always keep your passwords, especially for your email.

5. Update Your Password From Time to Time#

One cybersecurity piece of advice you might have heard is to change your passwords frequently.

In fact, many cybersecurity “experts” recommend changing your password a few times per year, with some even saying you should do it every 30 days.

This advice, however, is outdated and there’s really no need for this if you followed our email security best practice number 3 - use strong passwords.

In fact, according to the US Department of Commerce National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines, you should only change passwords that are either:

  • Commonly-used
  • Expected, or
  • Breached

If your password is already unique, strong and not compromised, there is really no need to change it.

6. Don’t Give Your Email Address to Everyone#

There’s really no need to give out your email address to every online business out there that you will only interact with once or twice.

One good email security advice that I don’t hear often is “be stringent with who you give your email address”.

At the very least, if you absolutely must give it away, don’t use your main business or personal email address. That way, you can at least avoid spam on your main email accounts.

7. Use 2FA#

No matter how strong the password you’re using is, it can get compromised in a data breach, phishing scam, or through spyware and other malicious software. Or, you might not have followed email security best practice #4 - don’t give out your email password.

Whichever the case, having an additional layer of security in the form of two-factor authentication (2FA for short) will help keep your account more secure.

Basically, 2FA will only let you log in to your account if, in addition to the username and password you can also provide a third authentication method.

This can be:

  • Something you know - PIN, token, security question, etc.
  • Something you are - fingerprint, iris scan, voice recognition, face scan, etc
  • Something you have - an ID card, security token, etc.

8. Understand Phishing and Other Email Scams#

According to the APWG Phishing Activity Trends Report for the 4th Quarter 2021, phishing attacks have tripled in December 2021 since early 2020.

Even if we look at the three months of Q4 alone, we can see that the number of unique phishing sites detected increased from 267,530 in October to 316,747 in December 2021

However, the number of brands targeted by phishing campaigns dropped from 624 in October to 521 in December.

Phishing attacks are getting more and more sophisticated and cunning and bad actors can take advantage of your slightest mishap so understanding their tactics is important if you want to keep your email account and data secure.

9. Avoid Downloading or Opening Untrusted Attachments#

Speaking of phishing, one common goal cyberattackers have is to get you to download or open an attachment they send you.

If someone you’ve never met in your life approached you on the street and handed you a package, would you take it?

Of course not so why would you do that with some Internet stranger?

Remember that “curiosity killed the cat” and there is nothing good to be had by being curious about unsolicited email attachments so just ignore them.

10. Avoid Clicking on Suspicious URLs#

However, people have become wiser about phishing schemes over the years and by now they know enough not to open unsolicited attachments. In fact, according to Tessian’s Must-Know Phishing Statistics (updated in 2022), 76% of phishing emails today don’t even include an attachment.

They do, however, include URLs that can redirect you to phishing websites. These websites can look almost identical to legitimate websites where the user is tricked to leave their sensitive data or they’re linked to malicious documents and will automatically download malware to your computer.

This is why always be sure to thoroughly inspect the URL before clicking on it to know if it will lead you somewhere legitimate.

11. Don’t Reply to Spammers and Scammers#

There is no get-rich scheme and if someone offers you one, simply ignore them since they’re a scammer.

Don’t even acknowledge their existence by replying.

12. Use an Encryption Extension (If You’re Using Gmail)#

Gmail is not secure and there are plenty of reasons to drop it.

However, it is super convenient and easy to use. Not to mention it’s free, so for most people, it’s perfect as a personal email, although not so much as a business email.

Fortunately, you can make Gmail more secure by using a Chrome extension like Mailvelope, which will allow you to send PGP encrypted messages.

13. Use an End-to-End Encrypted Email#

The problem with using Gmail encryption extensions is that, at the end of the day, you are still using a Google product and they don’t have a very good record of not looking into people’s data from time to time.

If you really want to keep your emails private, consider using an email service that focuses on security and privacy. Fortunately, there are more and more secure email providers today that do this and offer end-to-end encryption by default.

14. Avoid Logging in to Your Email on Public Networks#

If you’re at an airport, park, cafe, or anywhere where there’s a publicly available WiFi network, don’t expect it to be secure.

Often, these networks require no password to enter and someone could monitor the network for your actions and access your email account and personal information.

If you absolutely must use public WiFi, use a VPN, finish what you want and log out.

15. Be Careful Which Devices You Use#

A lot of companies have a “Bring Your Own Device” (BOYD) policy. Basically, what this means is that you can bring your own computer and log in to your business email from it.

This creates at least two major potential security problems:

  • Your device might already be infected with malware and logging into your business email might compromise it as well
  • There is an increased risk of getting your device stolen

If you’re going to bring your own device to work, don’t lose sight of it.

16. Log Out When Finished#

Again, this applies more to using email at the office or on public computers (like in a library for instance).

Someone walking in to use that computer after you can simply continue where you started if you leave your account open.

It’s not enough to just close the window by clicking on the “X” in the corner. Make sure to log out of your email as well as clear your browsing history before you leave.

17. Install an Antivirus Program#

Despite all the precautions, you might still get malware or a virus from an email.

Don’t worry, it’s not the end of the day if you have a good antivirus or antimalware program installed on your device like Norton or Kaspersky for instance.

18. Don’t Give Away Your Personal Information via Email#

If you get asked for your social security number, credit card information, password (see email security best practice #4) , or even a seemingly innocent piece of information like “when is your birthday?”, don’t give this information away via email.

They absolutely don’t need to know that and no reputable business will ask you for this.

19. Review Your Email Security and Privacy Settings From Time to Time#

Always remember that email attacks evolve and the defenses and security measures that you put up two or three years ago may no longer be enough today.

This is why you should periodically go through your email security & privacy settings and update them to better handle new threats.

20. Educate Your Employees (and Yourself) on Email Security Best Practices#

Finally, keep in mind that your employees or you yourself are not email security experts and a lot of the stuff we just said in the previous 19 email security best practices can go over their (or your) heads.

This is why you need to educate and train your employees and yourself on these.


And there you have it. We know there’s a lot to take in, but email security is not a simple topic so, hopefully, these 20 email security best practices will help you keep your email more secure.