Today, email addresses are as important as our mobile telephone numbers (maybe even more important in some situations). As one of our main forms of digital identity, they are integral to digital communication and connect us to people all around the world. In fact, they are so necessary to our modern lives most of us have two or more (for example, one for work and one for personal use). Of course, most work emails change now and then, but a personal email may only change twice or three times in a lifetime. Much like your own name, an email address has an enormous amount of information attached to it.
With the advent of homeworking and the effects of the pandemic pushing more and more people to be active online, both our professional and personal email addresses are major assets to a growing community of cybercriminals worldwide. That’s why we’ve created this guide about the risks email addresses can present to your personal data and how to keep your email address safe.
Email addresses are the starting point for most online login forms and portals, whether you’re purchasing groceries with a mobile application or signing up to a website for the first time (it’s even sometimes used instead of your username). As an entry point o someone’s personal account, hackers and other malicious actors can implement different fraud scenarios with a personal or professional email address. Given the opportunity, hackers can:
Target you with “Phishing Emails”: Phishing emails contain malware attachments or malicious links to fraudulent websites. Once you’ve clicked the link or downloaded the attachment, malware can penetrate the system, and be used to steal your personal data. Often disguised as a reputable company or trusted website (sometimes even as a government official), hackers will employ sophisticated social engineering techniques to gain personal details like your bank account number, social security number, address, phone number or passwords, and others.
“Spoof” your email address: Spoofing an email address involves creating a fake email address that looks like yours, but has minor and tough-to-spot changes (like swapping a number with a letter or adding a dash). They can then extort information from your friends and family whilst pretending to be you. This approach is often missed by spam filters on email clients.
Hack your other online accounts: Even though hackers need your passwords (to both your email and online accounts) to do this effectively, it is a notable starting point. Using sophisticated phishing techniques mentioned above, cybercriminals could quickly find out more information about you through different online accounts, most likely beginning with access to the email account itself.
Impersonate you online: If a hacker gains full access to your email account, they can usually find most of your sensitive information, or a way to access it. Today, email accounts are filled with all manner of correspondence, from friends and family to work, home and even your financial providers. All of this information can be used to impersonate you in an attempt to further extort you or those closest to you.
Steal your identity or commit financial fraud: This topic will be covered in more detail later, but as you can see from the above, your email address is a digital doorway to your physical identity. Many of the techniques employed by cybercriminals are intended to extort and steal money from their victims. This could be in the form of making illegal purchases, money transfers or holding your data hostage with ransomware. However, this is not just a problem for individual people, but for businesses as well. The prevalence of cyberattacks has been increasing steadily over the last decade, with data breaches costing businesses thousands of dollars each year. As a result, it’s important for you, as an employee, to be prudent with your professional contact information.
A tried and tested way of gathering information about someone with their email address is to use a reverse email search tool. These tools allow you to enter an email address and discover who owns it. They often provide additional data such as location, job or social media accounts. In fact, the same information can be found just as easily by using your average search engine. As search engines and their website crawlers form the backbone of many users’ online journeys, they gather an enormous amount of personal data that can be used as a jumping off point for many hackers.
Apart from what has been previously mentioned about personal data theft through impersonation and phishing scams, your email address may also contain some important identity data that hackers can use to target you and your loved ones. Many people’s emails often contain their name (or at least part of it) and a memorable number, usually a date of birth. These two identifying factors are enough for many cybercriminals to begin gathering more lucrative personal data online.
In short, yes. It is possible to find enough information to steal someone’s identity completely with your email address. However, it’s not easy or quick with only an email address. For a cybercriminal to pull off identity theft completely, they would need to begin with gathering your personal data., for example, credentials from data leakages, and using various hacking techniques discussed in the above sections, such as fraud in the form of impersonating your friends and colleagues online, and maybe the physical theft of some personal documents from your property (although this is rare). They could then use this personal data to commit an array of different fraud crimes.
With everything hackers can do with just an email address, it’s important to know how hackers get hold of your address in the first place.
Phishing scam pages: In much the same way as a hacker might use phishing emails to gather personal data from you, they might also create a fraudulent website subscription, checkout or login pages that ask for your email address. These pages will record your email login details (and other personal information if you input it) with special logging software.
Larger data breaches: In some cases, cybercriminals can steal your email address by targeting a larger enterprise or institutional body (like a hospital or school) and attacking their databases directly in order to extract personal information. If you think you could’ve been a victim of data theft via a third party, you should follow the steps in our Personal Privacy Breach Guide. Apart from that, modern security solutions can monitor internet and dark web and check whether personal data was leaked or not.
Social media: As social media accounts of all kinds are often linked directly to your email address, different social media sites can be easily mined for many kinds of personal data (including your name, phone number and email address). In fact, some of this data can even be used to try and guess your passwords in order to access these accounts.
With the risks that exposure of your email address (or addresses) can pose to your personal and professional privacy, it’s important to know how to protect you e-mail address from unauthorized access
Strong passwords: As we mentioned previously, it’s very hard to steal your personal information with just an email address and no password. That’s why making your password “strong” (around 10-12 characters long, containing a mix of special characters, numbers, uppercase and lowercase letters) is one of the best ways to keep your email address safe from hackers. We recommend using a Password Manager and Generator to get the most secure results.
Spam filters and blocking: Make sure that your email provider’s spam filter is always active, so that there is less chance of you clicking on a nefarious email or link. Equally, if one of these dangerous emails does make it through the spam filter (usually because of spoofing), it’s important to stay vigilant and block and report these domains to your provider or relevant IT department member.
Sign up for two-factor authentication (where possible): Doubling up on your online security is when you sign up for two-factor authentication (if the option is available). Referred to sometimes as “two-step verification" (or “2FA" for short), most trusted email clients offer this service as standard. Two-factor authentication is a security measure that requires you to enter an additional piece of identifying information. This identifying information can range from an additional secret answer to a question, a secure link sent to your email or an authentication code sent directly to your phone.
Use a “Burner” email account: When you’re signing up to a website or an application that looks suspicious (or isn’t from a highly verified provider), you should use a burner email. This is an email account with false or very little identifying information that can be scammed and hacked without fear of negative consequences. Modern email accounts are simple and quick to shut down, so you can keep this account active on a long- or short-term basis. However, be aware that burner accounts are not immune to downloadable malware from fraudulent email messages. If you’re accessing your burner account, be very careful when clicking external links or downloading attachments.
Stay educated in best practice: In this modern digital world,data protection is not just your IT department’s responsibility, it’s also yours. That’s why it’s important to stay up to date with your enterprise’s cyber security training and read the right resources in case of a breach. Even at home, your personal computer should always be used with best practices in mind. Research online or ask your IT department or manager for the appropriate steps and documentation and be sure to report/block any suspicious emails immediately.
Don’t leave yourself vulnerable to email hijacking and loss of data.
Related articles and links: