It’s hard to believe that email was invented almost 50 years ago. Of course, it took a while to trickle down so that people like you and me could use it. But fast-forward to today, and more than half of the world uses email.
Last year, over 360 billion emails were sent every day, clearly demonstrating that even though there are more conversational ways we can ping messages back and forth, email still remains a steadfast pillar of communication. Everything from sending formal messages, larger attachments, or simply recording purchases. All incredibly important.
But like the best innovations, its creation came with a few caveats — and a growing list of security issues.
Nobody is immune
When we think of email security, we naturally think of our individual experiences. That time we almost fell for a scam email, or when a friend’s mailbox was hacked, and we had to alert them. But arguably, the biggest threat email poses is to businesses. A whopping 94% of organizations reportedly fell victim to scams in 2024 alone.
Why are businesses such a juicy target? Firstly, every human is a potential point of weakness. Whether this is crumby passwords, or the human tendency to trust others, there are numerous ways colleagues can fall victim to an attack, and they aren’t all obvious.
Small businesses can be particularly vulnerable to scam emails claiming to be from customers, service providers, and suppliers — especially if you’re juggling the many responsibilities of a small business owner single-handedly. But larger businesses, with specialist security teams, are not immune.
We only have to look at recent news to see examples of when email goes wrong for big business. A Singapore company was tricked into transferring $42.3 million to a fraudulent account via a spoofed supplier email. INTERPOL helped them get around 41 million back, but it was still an incredibly costly error.
The most common email threats
The are many types of email threats. The most common forms of email attack against businesses include:
- Phishing
- Malware
- Compromised business email
- Fake invoices
Top of the danger list is phishing, with 91% of cases involving data loss. An absolute nightmare in a world with increasing data protection laws, like GDPR and CCPA. But it isn’t as difficult as you’d think to mitigate the risk.
Security begins at home
Securing email needn’t be tricky. There are many things you can do to create an effective first line of defense — without costing you a thing except a small investment of time.
Phishing awareness
Here, a little training could save you a lot in terms of email safety. If you’re a solopreneur or small business, you’re already doing the right thing by reading this article! If you have a bigger team, consider sitting everyone down and going over exactly what phishing is, and the many forms it can take. While some may roll their eyes at the basics, as you drill into more detail about the many ways that phishing can manifest, and even expand into ‘whaling’, even those well-versed in cyber threats will get a refresher.
Humans, sadly, are the weak point when it comes to phishing. It relies on our psychology and the inherent trust we have in others. For this reason, never seeing the phishing message in the first place is a huge advantage — which is why you should look for an email provider that prioritizes a strong anti-spam filter among its features. More on that coming up.
Strong passwords
Training aside, the first line of defense is also the simplest to implement — a password. Being aware of how psychology can work against us is also vital here. For convenience, we all want to create something memorable, but that can be the antonym of security. Birthdays, email addresses, relatives' names, or important things in our lives, can all give human hackers a headstart. But of course, it's about more than that.
Where machines or scripts are used to hack, words themselves let us down — because ultimately, they are finite and we are more likely to choose some than others. Therefor, random combinations of numbers, symbols, and upper/lower letters make passwords harder to guess. Password managers are useful for generating unique passwords that are designed to be difficult to hack.
But for those who prefer a password that's easy to remember, a good alternative is using an entire memorable phrase as their password. The length makes it much more secure by definition. Adding one extra lowercase letter to a password makes it 26 times more difficult to crack. Adding three lowercase letters makes it 263 — which is 17,576 more possibilities. So the benefit of longer passwords is exponential.
Stay safe on public Wi-Fi with VPN
Like awareness of phishing scams, this one comes back to employee awareness and ensuring good business practices.
Unsecured Wi-Fi, the kind you get in cafes and other public places, is incredibly easy to intercept. A bad actor could potentially see everything that goes between your device and the router, including sensitive information.
But let’s just take a moment to clarify what we mean by unsecured Wi-Fi. It doesn’t just mean Wi-Fi without a password. Public Wi-Fi that’s password protected is generally no more secure than networks without one. It’s about who else is on the network. The reason our home and office networks are secure is their limited access — nobody from outside of our family or organization has the password.
However, there is a way that you (or your employees) can be safe when using any form of public Wi-Fi. A VPN encrypts all Internet traffic from a device, including emails. This happens regardless of the email service they’re using. It’s especially useful for protecting online traffic when users are using public Wi-Fi networks, which are often less secure and more susceptible to interception.
Two-factor authentication
Two-factor authentication (2FA) is one of the best methods you can use to secure your account, and a must today. By requiring a secondary device to log in, like a phone or key, anyone without this hardware will be unable to do so, even if they crack the password. Additionally, if it's a live authentication on a phone, you will be made aware someone is trying to access your account and be able to take preventative measures (like password changes, or universal logouts) to address the issue.
But to make the most of 2FA, it’s vital to address a critical vulnerability: the IMAP, SMTP, and POP3 protocols. Put simply, these protocols allow you to connect to your email servers, especially using third-party systems — like Outlook. However, they come at a cost.
By allowing more devices to connect, you are creating more points of weakness, whether that’s unauthorized access, or downloading emails to insecure devices. POP3 is especially bad because it does not encrypt data that’s being transmitted. This means that the emails, including their content and credentials, can be easily intercepted by malicious actors. It also tends to delete emails from the server as they’re transferred, which can lead to loss of data.
Turning all of these protocols off at the highest level is a good way to secure your company email accounts. If you do need to use one, consider IMAP over SSL/TLS (also known as IMAPS).
By disallowing the insecure protocols, enabling 2FA, and choosing a secure password, you’re doing everything to keep your account secure at a basic level.
More advanced features
Of course, there are things that are slightly more technical. You may need to go for a premium business email provider to ensure you get all of these features.
Outsource the worry with strong anti-spam filtration
As we mentioned, we are our own worst enemies when it comes to spam, especially phishing. Without us, it's just another bogus email sent out into the ether. It takes the actions of a human for consequences to arise.
Seeking out a business email provider with a good anti-spam filter will really narrow that risk. They’re one of the most important factors to consider when choosing your business email provider as a small business. A good quality anti-spam filter can identify spam using myriad different means, and even learn based on the type of spam you receive. From comparing things like display names and sending domains, to spotting other irregularities that we may not notice in emails (like sending certificates), they work on multiple levels to protect us.
The best Spam filters also have degrees of filtration depending on how sure they are of the threat, allowing you greater protection from the worst offenders. Equally, they offer the chance to put incorrectly classified messages back into your inbox, without ever being incorrectly flagged as spam again.
Use password-protected emails
More advanced email providers actually offer encrypted emails that require the recipient to use a password to open them. This ensures that even if the email is intercepted or accessed by unauthorized parties, they cannot view the message without the correct password. It’s a great feature for sending content that is sensitive or confidential.
Usually, password-protected emails exist only on your mail server. Rather than sending the email content to the recipient, a link is sent which takes them to where the message is stored on your server, where they can enter the password to open the email.
Monitor your email account’s activity
Some features are ideal for larger businesses but can also be handy for solopreneurs, for example, those with a high level of interest in their business. One such feature is being able to monitor your account’s activity.
By tracking exactly where your email accounts are logged in, and when they were last accessed, you can get a clear sense of whether you’ve had a security breach in a couple of clicks.
Checking regularly for unfamiliar times, locations, or IP addresses is good practice, and allows you to keep track of any suspicious behavior in a routine and casual way. Not every email provider offers activity logs, so prioritize the ones that do — especially if they allow you to log out remotely for unidentified logins.
You might argue this couldn’t happen if all of the previous advice is followed, but it’s great to know it’s there for any worst-case scenarios.
Rest easy knowing you’re protected
It’s worth considering all this not as a set of obstacles, but as a series of quick and easy steps to grant you peace of mind when it comes to securing your email. None of the steps above are difficult to achieve.
By adopting simple practices like phishing awareness, using strong passwords, enabling Two-Factor Authentication, and leveraging advanced features (like encrypted emails and VPNs), you can safeguard your email and prevent costly security breaches.
Remember, securing your email isn’t just about protecting sensitive information — it’s about protecting your business, your reputation, and your peace of mind. Take action now to ensure your email remains a trusted and secure communication tool in this increasingly digital world.
Frequently asked questions
Email security is vital because email is a common entry point for cybercriminals. Phishing, malware, and data breaches are just a few risks that can occur if emails are not properly secured. Weak email security can lead to identity theft, financial loss, and exposure of sensitive information, putting both individuals and businesses at risk.
Start by ensuring your workforce is aware of what email threats look like. You can also require strong passwords, implement 2-factor authentication on all business accounts, stop people from using unsecured Wi-Fi, and more.
Two-factor authentication (2FA) enhances email security by requiring a secondary device to validate a login. Even if someone manages to crack your password, they won’t be able to access your account without the secondary device.
The simple answer is, as often as you like — but definitely every 3-6 months, and absolutely after any kind of security breach.
Encryption is essential for email security, protecting the content of emails from unauthorized access. It ensures confidentiality by keeping sensitive information secure during transmission, maintains integrity by preventing tampering, and provides authentication to confirm the sender's identity. For businesses, encryption also helps comply with privacy regulations like GDPR and CCPA.
Yes, mainly because they anticipate incoming spam, thus limiting our exposure to them. The human factor, especially in phishing scams, is the most dangerous part, so by having something clearly identified as Spam, we never engage with it.
Share your thoughts