Day 22

Email Privacy and Security


DAY 22: Email Privacy and Security

Welcome to Day 22 of my 30 day security challenge, the month long challenge I created to help you gain control of your privacy and security online. You can follow along with the security challenge via my blog at, where you can skip ahead or download a checklist of the challenge. Each video will also be curated into a playlist so it'll be easy to follow along from Day 1 all the way through 30 here on Youtube.

Today we'll chat about email privacy and security. Email privacy and security relates to everything encompassing the conversations that go on through your email account. For decades, email has been used and originally formed as a simple means of communication in the digital age, but overtime email became your proof of ownership and a part of your digital being. Now, email is used to verify your identity on websites, it's used to change passwords, and many people use it as a private form of communication.

You may think that since you've already turned on two factor authentication and gone with a much stronger password - that your account is safe and your emails are secure. But that may not be the case. Email can be intercepted either right on your computer, in your own account, on the email companies server, during transmission, or on the receivers computer. I won't bore you with the nitty gritty details about protocols that email providers use or the different encryption techniques today (though I will talk all about PGP very soon!). Today I'd like to focus on some very easy to implement security and privacy features that you can turn on right now to make your email a bit harder for a third party to read.

Running some antivirus talked about previously will definitely help with alerting you of any known malware that might be running on your machine. This could affect your email security if, for example, a keylogger was installed on the computer, and it was copying all of your computer keystrokes over to an attacker. Antivirus or malware scanners will only catch known problems, not necessarily brand new attacks, and sometimes can flag completely legit software as being malicious, so keep that in mind with your A/V choice.

To safeguard your email, hopefully by now you've also turned on 2 factor authentication and created a tough password, potentially saving it in your password manager. As I mentioned previously, I don't save my email password in Lastpass because it's such a huge target for an attacker - so the only person that knows that password is me, AND I turned on two factor authentication. Oh, and, this goes without saying, but never write down those passwords anywhere. Like I said I'm even wary of putting my email password in my password manager, but that's because I'm probably a larger target than my parents for example.

Never ever ever leave your phone or laptop unguarded. Never leave them unlocked because that's a surefire way for someone to come up and just snoop through your data, but never even leaving it unguarded is important as well. While locking your computer and walking away from it will keep the normal thief from breaking in, it won't stop a serious cyber criminal from getting into your data. Keep your devices locked up.

Watch out for social engineering or phishing attacks. These are clever little messages or emails that are designed to look legit to the unsuspecting victim. They're made to get you to hand out personal data about yourself - be it your email address and password, credit card numbers, address, and more. Ever had a friend randomly send you a link to download an app? Could be a phishing scam. Gotten an email from a company asking you to verify your credit card number for a purchase? Sounds fishy, could be phishing.

Delete old contacts and old emails or email addresses that you no longer need. Storing or archiving emails from years and years ago could be a potential threat vector. Think about it - do you have old emails from purchases made years ago that have your old address on them? That's usually a security question for government agencies like the IRS - "Please choose your previous address from the list below" etc. Old emails could store plain text passwords from websites you use, or phishing data about your pets name, etc etc. An email address is a treasure chest of information for a criminal so deleted unnecessary emails is a great way to lessen the blow if someone DID get into your email.

If you have several email address, especially old ones, it might be time to delete your old accounts and update any website profiles that were using the old accounts to sign in. Pro Tip: Change the online profiles first, then delete the email account just in case they send you a verification email.

Lastly, you may want to consider choosing a better email provider. I tend to use Gmail and Protonmail so I'll focus on those, but there are many others to choose from.

Google's Gmail is cool because they now offer Advanced Protection which is great for folks that are commonly targets, like celebrities and journalists. It creates an additional step to log in (by using a physical 2 factor key instead of a code on your phone), and it also makes it harder to get back in if for some reason you get locked out. The negative though is that Gmail can be read by Google, and you know that's the case because they filter specific advertisements to you alongside your email that just so happens to be about a similar topic.

Protonmail on the other end can only be read by you. If you lose your password, Protonmail can't help, because their policy is zero knowledge. They also offer 2 factor authentication and encryption end to end AS LONG as your recipient also has Protonmail. If your recipient doesn't use Protonmail, you can still send them an encrypted message but they'll have to click a link and put in a secret password you've given them. This doesn't work so well if you don't have another way to communicate with the person you're sending mail to because if you just put the password in the email, then anyone could read it. This client also doesn't work with downloadable email software. They also don't track or log your emails.

Each of these offers free plans up to a certain storage amount. There are some other privacy conscious email providers out there and it's pretty easy to import and export emails from one provider to another. Always consider how likely you are to be targeted and if you need the best of the best for your email. Since I do videos about security, I'm obviously a target. If you don't do security videos, you may be well off with just 2fa and a strong password. BUT I highly suggest due diligence before an attack happens, so you don't stress after the fact.

Day 22 is now complete! Tomorrow is all about PGP. But first, make sure to subscribe on youtube and hit up for the downloadable checklist and to skip ahead on the 30 day security challenge. Again, I'm Shannon Morse and I'll see you tomorrow for day 23!