Online Security 101: Emails

Introduction

Our Online Security article series delves into the important topics of cyber security which are seldom talked about but are increasingly important as we lead more and more digital lives. Part 1 will focus on the most basic component of our digital life, emails. 

While everyone has at least one email address, few have put much thought into how to organize and manage emails to reduce cyber security risks. We hope that after reading this post, you’ll find ways to change how your emails are organized so that you can:

• Reduce spam,
• Lower the likelihood of fraud,
• Strengthen account recovery measures, and
• Keep emails simple and straightforward to use.

‍

How many email accounts should I have?

While nearly everyone has an email for home and a different one for work, there might be situations where having a few different accounts can dramatically help you reduce the amount of spam you get. 

Before we get into how many to set up, it’s important to know the most useful email hack there is: You may not need to create separate email accounts to get different email addresses. A little-known feature of Gmail is that any address of the form: username+somethingelse@gmail.com will get automatically sent to username@gmail.com

Armed with this, there are a couple methods you can use:

‍

One public email for each service

Some go to the extreme of generating a new email for every service/website they sign up for, that way they can keep track of which companies have been leaking their personal information to third-party vendors. This is easy with the hack above, but it’s still likely necessary to have at least 2 accounts. I.e. public_username@gmail.com, and private_username_dont_share@gmail.com

That way you can sign up for any service with public_username+service_name@gmail.com, and if you use multiple service providers, some of which may not use Gmail, you can then forward all traffic to a Sink account that aggregates all your emails in a single place.

‍

One public email for each category

This is a simpler one, where you have public_username+category@gmail.com, this helps with filtering if you care to see only emails of a certain category, such as

• Financial: Have an account linked to important financial accounts such as banks or brokerages that are not used for anything else. Most financial firms are heavily regulated and better keepers of your private information as compared to your parking or fast-food delivery app.
• Health: Similar to finance, we want to use an email that is dedicated to health establishments, doctors, and health-related communication. 
• E-commerce: This is for signing up for generic services that are not financial in nature, but would have a stored credit card, or other payment information on file. Ideally, if those services support PayPal that would remove some security concerns in case their servers are compromised.
• Personal: This is the email you give out to friends or acquaintances.
• Social Media: A compromise in these emails might cause non-financial damages that are hard to fix as well as financial damages as social media is used more and more as an E-commerce marketplace.‍
• Throwaway: Any other non-essential sign-ups, newsletters, or coupons that do not fit in the above.

‍

Private accounts

With public emails created, you’ll need at least 2 private email accounts

• Sink Account: Do not share this email. It will be used to aggregate all the traffic from the above emails together so that you aren’t logging in to multiple accounts on a regular basis. If you are already using the email hack above, it can just be your public_username account.‍
• Recovery Account: Do not share this email with any services. This email is used solely for the purpose of recovering lost credentials from other emails. More details on this later.

‍

Managing emails

‍

Now that you have these accounts set up, how are we not violating our goal of keeping it simple? Easy. In case you have multiple email providers, you can set up forwarding of all traffic to the Sink account. An example of how to do this on Google can be found here.

So now you can view all emails from the Sink account, the last bit that needs to be configured is to be able to reply to emails using the original address instead of the Sink account. This works for those “+ hack” addresses as well as any address from a third party. Not only that, you can set that as the default behavior, so that you never have to toggle in between.

‍

Recovery emails

The only email that you would not automatically forward is the recovery email. This should be set up with a completely different email provider if possible, protonmail.com is a good privacy-focused choice for this. Do not use it to communicate, it should be solely used for receiving password recovery links from the other email accounts.

‍

Benefits

With this setup, you get the following benefits:

• You have 2 emails (Sink and Recovery) that are essentially not known to any third-party service and thus much less likely to be compromised in a third-party breach.
• Because activities are segregated, a third-party breach in a throwaway or social networking site does not compromise more sensitive accounts.
• It will be difficult for attackers to bootstrap (leverage personal information gained from one breached site to verify your identity) and gain access to other sites since they do not know what your email is on that other service.
• In case an email is compromised, the hacker will attempt to reset the credentials so that they can lock you out of recovery, which is why the recovery email is important to be kept secret.
• Day-to-day use is as straightforward as having a single email: log into the Sink email to check messages. On signing up for a new service, pick an appropriate email address from your list.

While a future post will go into more detail on how to keep credentials safe, the general guideline is to make sure to use a password manager to generate long random strings as passwords and use 2-Factor (2FA) or Multi-Factor Authentication (MFA) for all accounts where available.

‍

Conclusion

Recent security breaches from established firms have shown that companies are honeypots of personally identifiable information. There is a market for this information and bad actors exploit it in a variety of ways that span from benign annoyance (spam campaigns) to serious identity/financial fraud. With the precautions and setup above, we can dramatically reduce the consequences when a third-party service is breached, thereby reducing our risk of being a victim of fraud as we conduct more and more of our daily activities online. In the next part of the series, we will go through password management best practices.