Email security isn’t something to be taken lightly.

For many organizations, email is the most important communication channel. And if someone gains access to your account, it could open the door to any number of data breaches—and they aren’t cheap these days.

In this article we’ll cover the most important email security best practices every organization should follow, or at least be aware of.

Email Security Best Practices

Most would-be hackers and nosy competitors are opportunists, looking for low-hanging fruit so they can expend as few resources as possible. Even routine, basic security practices will be enough to protect you from the vast majority of these types of threats.

If you can employ most or all 21 of these email security best practices, you’ll protect yourself from the vast majority of potential email security threats:

1. Visualize your team’s email activity


It may seem simple, but start by visualizing your email activity. Email is so integrated into our professional lives that we can use it for hours a day and not even think about how it functions, from a technological perspective.

How many emails do you send and receive every day? To how many lists and email newsletters are you subscribed? How much time do you spend on email threads with people outside your organization?

Visualizing your email activity is the way to answer these questions—and discover what your biggest email security risks might be.

For example, who are your team members receiving emails from? Do those emails contain attachments or links that could be harmful if opened or clicked? Are your team members replying to those emails, which could indicate them falling victim to a phishing scam?

2. Don’t mix your email accounts.

If you’re like me, you have both a personal email account and a “work” or professional email account. You might even have multiple accounts in each category.

In any case, avoid using your personal account for professional emails or a professional account for personal emails. If you start using your work email address for personal communications or interests, it could open the door to more security risks.

If you exchange work-related information on a private email account, it could become vulnerable if that personal account is ever hacked. It’s best to keep your accounts as segmented as possible.

3. Use a strong email password.

This should be common sense, but with 2 million people using “123456” as a password for at least one account, it’s a topic worth exploring.

The majority of cybercriminals don’t brute-force their way into breached accounts; instead, they guess passwords, or use social engineering tactics to obtain them. The easier a password is to guess, the more vulnerable your email account is going to be. A “strong” password is a password that’s hard to guess, and there are several ways you can boost your password’s strength.

For example, you can use a mix of different characters; ideally, you’ll use a blend of lower-case letters, upper-case letters, numbers, and special symbols. This greatly multiplies the number of guesses a hacker would have to make for each character slot.

You can also make your password stronger by making it longer; each new character in the chain multiplies the number of possible alternative combinations by the number of characters you’re drawing on.

Finally, make sure you’re not using any combinations of letters or numbers that might be easy to guess, like integrating your company’s name, your name, your birthday, or simple combinations like “1234” or “abcd.”

4. Use different email passwords for different email accounts.

Once you come up with a clever, strong password that’s also uniquely memorable, you’ll be tempted to use it for every account in your arsenal. However, this is a bad idea.

If a hacker or opportunist is able to get your password for one account, they’ll be inclined to try it with a variety of other accounts connected to your name. If you use the same password for each account, all your accounts will be compromised if only of them gets infiltrated.

5. Change your email password often.

It’s also a good idea to change your passwords on a regular basis. Depending on your personal risk factors and how secure you want to be, changing once a year is a good minimum to pursue.

Sometimes, after a data breach or a password leak, thieves and cybercriminals will sit on the data for a period of weeks to years, until the heat dies down.

Changing your password prevents these time-delayed attacks from occurring, and makes your password harder to guess (since it’s never the same for too long).

6. Never give out your email password.

No reputable email company will ever ask you for your password directly, over email or over the phone. If someone is claiming to be a representative from Gmail and asks you for your password in one of these communication channels, it’s almost certainly a scam.

Your password is also something to take seriously—even talking about it with your friends to compare password strength, or writing it down on a sticky note, is a bad idea. Keep your password safe and private at all times.

7. Enable 2-factor authentication.

In Gmail, it’s possible to enable 2-factor authentication, sometimes called 2-step or multi-factor authentication (here’s our guide on how to turn off 2-step verification in case you need it).

Essentially, this is going to prompt you for two pieces of personally identifying information before it successfully logs into your account; usually, this means providing a password as well as a temporary passcode sent to your mobile device via text message.

While this can be a bit annoying if you’re dealing with it every day, it ultimately only takes a few extra seconds, and could be the extra barrier of protection that keeps your account safe if you lose your password.

8. Use Gmail’s Confidential mode.

Gmail’s built-in confidential mode

Did you know that Gmail has a built-in “Confidential” mode that allows you to send emails even more securely?

Open the Compose window to draft a new message and click on the lock-and-clock icon in the bottom row. Once enabled, your email recipients will be prevented from forwarding, copying, printing, or downloading the contents of the message.

This can help you prevent confidential information from spreading outside your intended recipient(s). You’ll also have two important options to keep your email even more secure.

First, you can set an expiration date, setting the message to self-destruct, Mission: Impossible style, so the information doesn’t sit idly in your recipient’s inbox for an indefinite period of time.

Second, you can require the email to be unlocked with a unique SMS passcode sent to your recipient’s mobile device—thus preventing the message from being seen by prying eyes.

9. Consider utilizing an encryption add-on.

Gmail is super friendly to third-party developers, and as a result, there are hundreds of Gmail apps, add-ons, and extensions you can use to improve your overall email experience.

Some of these are specifically focused on security; for example, you could use an add-on like FlowCrypt or Virtru to secure your attachments and email messages with end-to-end encryption.

10. Be careful which devices you use.

Many companies now have a bring-your-own device (BYOD) policy, which not only allows but encourages employees to use their personal devices for professional use.

However, this can be dangerous from a security perspective. If your personal device is infected with malware, merely logging into your professional email account with it could expose you to a potential hacking attempt.

Improve your team's email response time by 42.5% With EmailAnalytics

  • 35-50% of sales go to the first-responding vendor.
  • Following up within an hour increases your chances of success by 7x.
  • The average professional spends 50% of their workday on email.


Make sure you’re taking security precautions with every device that you may use to log into your professional email account.

11. Be careful which Wi-fi networks you use.

You’ll also want to access your email account only when you’re confident in the security of the network you’re using.

For example, it’s typically a bad idea to rely on publicly accessible, unsecured Wi-Fi to log into your email; hypothetically, anyone with access to the public Wi-Fi could monitor your actions and gain access to your personal information.

Stick to trusted Wi-fi networks.

12. Be aware of email schemes.

Many scammers rely on email as their medium of choice for operating schemes; email is cheap and infinitely scalable, so it makes sense.

Fortunately, you can guard yourself against most of these scams simply by being aware of their existence. For example, one of the most common email schemes is “phishing,” where an email mimics the appearance of a trusted authority (such as your bank, or a major website like eBay) to lure you into giving out personal details, like your credit card number or email password.

However, if you know this scheme exists, you’ll be extra vigilant in verifying the identity of these senders. The Nigerian Prince scam is another notorious one, but also be on the lookout for guaranteed loans, lottery winnings, disaster relief scams, and any shady offer on items you’re buying or selling online.

13. Never open an un-trusted attachment.

Attachments are the most common way to spread malware, which can nab your personal information or even render your machine inoperable.

That’s because opening an attachment will download it to your computer—and it could easily have a nefarious script or program embedded in it. Many of these attempts will include an attachment with a strange or zipped file type, but some can be delivered in the guise of a conventional file, like a .jpg or .pdf.

Only open attachments in line with your expectations for what an attachment should look like, and from users you trust. If you’re ever in doubt, call the person who sent you the attachment and ask them to verify its contents.

14. Investigate suspicious messages.

If you get a message from someone and it seems even the least bit suspicious, take the time to investigate it. Oftentimes, conducting an online search for the subject line of the message, or for the contents of the message will result in a number of pages identifying the message as a scam.

You probably aren’t the first to be targeted. If the message seems to come from a trusted or reliable source, go to them using another trusted channel and ask them to verify the message.

15. Investigate suspicious URLs.

Scammers will also try and lure you to click on a link that ultimately leads to a download page for malware, or something equally vile.

Before clicking any link in an email, especially one from an unfamiliar source, do some investigating. It may look like a familiar URL, but is it? For example, a scammer may replace one letter or phrase of a domain to fool you into thinking the URL is legitimate, such as using instead of, or instead of

They may also use a link shortening service to disguise the “real” link they’re sending you. Fortunately, most link shortening services allow you to preview a link before formally clicking it, such as adding a + symbol to the end of a bitly.

16. Keep an antivirus program installed.

It’s a good idea to keep an antivirus program installed on your machine, just in case. Most antivirus programs will automatically scan your email attachments before you download them, and prevent you from accessing malicious webpages.

They can also help you remove any malware that makes its way onto your computer without your knowledge. Norton is the biggest name here, but AVG is a free option that does most of the same things.

17. Avoid giving your email address away.

Try to resist the temptation to give your email address out to every person who wants it. Many websites now ask for your email address to gain access to their internal content, but if you don’t have to give it out, avoid it.

While the majority of businesses will use your email address only for periodic newsletters and updates, some may sell your information to third-parties, or make it public, therefore exposing you to more email-related threats.

It’s not a huge deal, but it’s a small step that can keep you a little bit safer.

18. Never give away personal information in an email.

No reputable agent or company is ever going to ask you for personally identifying information over Gmail.

If anyone asks you for your birthday, social security number, credit card number, or password, it’s almost certainly a scam. Call the company or representative asking for the information by finding that contact info online, not by following the contact information in the email you received, and ask them to verify the request.

Chances are, they won’t have any idea what you’re talking about, and will caution you to never give out personally identifying information over email.

19. Avoid replying to scammers and spammers.

If you’ve identified a scammer, you might be tempted to respond to them to give them a piece of your mind, or to amuse yourself. However, it’s typically better to avoid replying.

Sending a response will verify that your email address is valid, opening the door to more attacks in the future, and may not ever reach the intended recipient anyway.

20. Log out of your email account when finished.

When you’ve finished yet another productive day, log out of your email account. This is an especially good practice if you’re using an unfamiliar device or a network you’re unfamiliar with, but you should probably adopt it 100 percent of the time.

This makes it harder for someone to gain access to your email account just by starting your device.

21. Periodically review your security and privacy settings.

Every few months or so, take a moment to review all your security and privacy settings in Gmail (or whatever email platform you’re using).

For example, you can list secondary forms of contact information that Google can use to verify your identity, and check to see if there were any unauthorized or unrecognized attempts to log into your account. With your Gmail account open, you can also scroll to the bottom and check the bottom-right corner to see your last recognized account activity.

Clicking details will allow you to see all your account activity, so you can proactively monitor for any breaches or suspicious activity.

Bonus Tip: Educate Your Employees on Email Security Best Practices

Okay, so you’re following these email security tips perfectly. That’s fantastic, and it’s going to keep your email account as secure as possible.

But what about your employees?

If you want your organization to remain secure as a whole, you’ll need to spend time educating and training your employees to follow these email security practices as diligently and consistently as you do.

Motivating them to stay consistent and holding them accountable may be difficult, but it’s an important step to take if you want to step up your total organizational security. And if your organization runs on Gmail or G Suite, check out these specific tips for Gmail security. Be sure not to miss our guidelines on general email best practices, too!

It’s good to know exactly how your employees are using their email accounts—which is why we created EmailAnalytics.

With EmailAnalytics, you can use interactive data visuals to keep tabs on your employees’ email activities in Gmail, including who their top senders and recipients are, how often and when they’re emailing, and how quickly they respond to new messages.

It’s completely private and secure, and you can integrate it with just a click—so sign up for a free trial today and learn more about how you and your employees are using email!