Are You Alone? 5 Easy Ways You Can Secure Your Own Email

Picture this: It’s late at night, you’re binge-watching Ozark on Netflix, but thanks to that whole pizza you just finished off, you’re in a food coma. You start to doze. But suddenly, you get an email. You unlock your phone and scroll to your inbox…only…to…discover…the email came from inside the house!

We’ve covered websites and why maintenance and security are crucial, but what about your email? Have you been Phished? Have you been hacked? Or more importantly, “Have you been pwned!” We’ll get back to that in a minute, but seriously, are you sure you are the only one with access to your company email account? Well, here are 5 easy things you can do to secure your own email and how to check to make sure you are alone.

We all hate it: creating a new password. But like taxes, it’s a must in life. And it’s very important that a password to something like your email or bank account be not only unique but strong. One of the ways I like to ensure I am using a strong password is by utilizing the LastPass Password Generator. More often than not, people like to create a password with a connection so they can easily remember it. But that leaves you at a huge disadvantage when it comes to security. Not only are you putting yourself at risk, but you are also putting your entire address book at risk. Everyone you have ever sent an email to then becomes a target. Using something like a password generator doesn’t just ensure you a secure, randomized password, it also takes the stress off of your shoulders! No more racking your brain to figure out how else you can write your child’s name and birthday in a new format, including special characters, numbers, and uppercase letters.

The top five most common emails passwords in 2023 are:

1. 123456,
2. 123456789
3. qwerty
4. password
5. 12345

Imagine your password being on that list. Embarrassing, right?

I feel like this is a given, but I know it’s not. We are trusting. But when it comes to sharing passwords, we never should, except for maybe with your wife. A reputable company will never ask you for your password. As a matter of fact, it’s all but protocol to never ask a customer for their personal information via email. Your bank, your email provider, even your utility company. They won’t ask because they don’t need it. Your password is to grant you and you alone access. So if anyone is asking for your password, it’s likely either your significant other or spam.

I have used that word twice: Phishing. So what does it mean? Phishing is the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and bank account numbers. In other words, you are the fish, and they send you bait. Most of the time, this happens when you receive an email that appears to be from Microsoft or any other company. In that email, there is a prompt for you to click to reset your password or provide other personal information. The problem is that link is masked, and once you click on it, it redirects you to a site owned and operated by a cybercriminal. This site may look exactly like your bank’s website or your credit card account. But it’s just a spoof with a dead form. And when you enter the requested information into that form, it records your every keystroke. And, GULP, They set the hook!

Quick Tips on How to see if it’s a phishing link:

1. 1. 1. Use a popular website like https://checkphish.ai/
      2. Access the link organically vs. through the email link.
         Instead of clicking on the link provided in the suspicious email, go to your bank’s website directly or Google their login page. Once you land on the login page organically, cross reference it with the email. Is it a match? If it’s not, trash and report that email.
         
      3. Inspect the link.
         Criminals also like to use script spoofing to not only match the look of the site but the URL itself. They use letter combinations, foreign letters, and numbers to resemble a letter (or letter combinations) visually:
         • “m” looks like “rn” at first glance
         • Cyrillic “а” looks like Latin “a”
         • “í” looks like “i”
         • “0” looks like “O”

Two-factor authentication (2FA) sucks. But it works. 2FA requires two forms of identification to access resources and data. The most popular forms of 2FA use your password coupled with sending 6-digit verification codes to your phone or your password plus emailing you a verification link. The simple thought behind this, it’s not likely that someone hacking into your account has both access to your passwords and your cellphone and/or email account. So by having you verify from two separate mediums, it helps weed out actual hacking attempts. I wouldn’t advise you to do something I don’t do, no matter how reluctantly I am to do them. In today’s digital world, strong passwords are just not enough. Especially when it comes to private information, and that’s where 2FA comes to the rescue. My advice: When it’s an option, opt in.

I like to tell my family and friends, if you have never gotten an email before from this particular sender, then it’s likely suspicious. For example: if I am a lower-level mailroom clerk and I receive an email from the boss with an attachment that reads “invoice” or “payroll,” and I know that I have never gotten one of these before, nor should I, then we can safely say trash it. We need to take common occurrences into account. If your best friend from high school suddenly sends you a zip file named familyvacation.zip, you should be suspicious. Attachments are the number one way malicious files spread. Remember the ILOVEYOU Bug? On May 5th, 2000, and shortly after, ILOVEYOU, sometimes called the Love Bug or Love Letter for you, infected over TEN MILLION personal computers. Read it again. Over ten million computers worldwide became a security risk, all because one person opened an attachment.

Some file types to avoid opening are .htm, .html, .zip, .EXE, .src, .vbs – Other file types that have been used to send malicious scripts: PDF, DOC, XLS, RTF, JPEG. So with attachments, it’s best to air on the side of caution. Take the extra minute to reach out and ask the sender if they meant to send it.

Every popular email provider has a way for you to see who and what devices are logged into your account at any given time, as well as all login attempts on your account, successful or not. It’s a great best practice to get into the habit of checking these monthly. If you do not recognize a device that is currently logged in, select the option to log that device out. After which your should change your password immediately. If you do not recognize a sign-in or sign-in attempt location (geographically), block that IP address and change your password immediately.

Here are some quick references on how to do that for a few popular email providers:

Gmail: https://support.google.com/mail/answer/45938?hl=en

Outlook: Download PDF

Apple/iCloud:  https://support.apple.com/en-us/HT205064

Let’s circle back to the beginning. I asked you a few questions, one of them being, “Have I been pwned?” Well, if you want to really scare yourself, do a deep audit. Have I been pwned is a free and very popular resource that lists and scans ALL data breaches that have been reported. From MySpace, Facebook, Adobe, and Avast, Have I been pwned has them all. And all you need to do to see if your accounts have been compromised is simply visit https://haveibeenpwned.com/ and enter your email or telephone. You will then get one of the following messages:

GOOD :)

BAD :(

If it is shown you have been pwned, I would scroll down, take note of what data breaches your information has been found in, and change or close those accounts immediately. I myself have been pwned. My old personal email address used to sign up for things like MySpace and Adobe was found in 12 recent data breaches. Scary, ain’t it?