27 Biggest Mistakes That Can Ruin Your Email Security

What is email security?

Email security is a set of procedures and techniques used in email communication to protect email accounts and data the email contains against loss, compromise, or unauthorized access.

Email is a great and easy-to-use communication channel, both for individuals and companies. Unfortunately, when people use email, they often do so without thinking too much about all the email security risks.

Email threats like phishing and scam will never truly go away, but you can ensure to be ready for them by avoiding these 27 biggest email security mistakes.

  1. Having Only One Email Account

Today it’s quite normal to have two or even more email accounts. This is because you might use one account to communicate with your friends and family, another for your work and maybe even have a third one as a throwaway account for online shopping or signing up to websites.

By having just one email account where you do all of this, you are taking a big risk as it might get hacked, or you might inadvertently reveal some sensitive information to someone you’re not supposed to.

  1. Using Private Email on Business Computers

Speaking of separating your private and work email accounts, you should also take care of where you log in to them from.

If your company has issued you a work laptop, use it only for that, work and not for your personal stuff. That goes for email as well. Using a private email on a business computer runs the risk of a scammer learning some personal information about you, like where you work, which they might use in a Business Email Compromise attack.

  1. Not Recognizing Phishing Attacks

Email phishing attacks and scams are getting more and more sophisticated, but even so, there are still a few tell-tale signs that will help you identify a phishing email.

The biggest red flags are:

  1. Clicking and Answering Spam Email

Spam email is best left ignored. If you receive a spam email don’t reply to it, even as a joke or to see what will happen. Just delete it from your inbox or spam folder.

Replying to a spammer lets them know that your email is active and will only lead to more spam from them. Instead, list the email as “blocked”.

In CTemplar, you can add a blacklist contact by going to Settings > Filters & blocked addresses > Add blacklist contact and then entering the contact’s name and email in the Add to blacklist field.

Filters & blocked addresses
  1. Using Weak Passwords

Your password can be your strongest or weakest line of online defense. You might have dozens of different passwords for your emails, social media accounts, e-stores, websites, forums, etc. 

Suffice to say that it can be difficult to remember them all, so a lot of people use weak passwords that are easy to figure out. Your email account is the last place where you should be doing this!

Instead, make sure that the password is strong enough that it won’t easily be brute-forced. Use a combination of letters, numbers and special characters and make the password at least 10-characters long.

If you have trouble remembering all your passwords, you can always use a password manager like LastPass.

  1. Not Changing Your Email Password Regularly

Never think that your current email password will forever protect you. Instead, think of it as a toothbrush, which you need to change every few months or so (depending on how often you use it really).

Just like a toothbrush might contain microbes if used for a prolonged period of time, a password that you’ve been using for a couple of years is also a risk that a hacker might eventually crack it.

  1. Sharing Your Email Password Around

Never share your email password. Not with your friends and family, not with your coworkers and boss and not with anyone else.

If someone asks you for your email password either ignore their request or politely tell them to mind their own business.

You are the only person in the world who should have access to your email account.

  1. Opening and Replying to Email from Unknown and Unsolicited Senders

If you receive an email “out of the blue” from someone you don’t know and have never been in contact with, it’s often best to not reply to it and instead ignore or delete it.

If you do need to reply, at least be sure not to reveal any personal or other vital information about yourself, your family, or your job.

  1. Opening Email Attachments Without First Scanning Them

Malicious email attachments can infect your email or even computer so you need to be very careful about what you open and download. 

Never open an unsolicited email attachment from an unknown source and make sure to scan the attachment first before opening or downloading it.

You should particularly be careful of Microsoft Office attachments like .doc/.docx. .xls/.xlsx, .ppt/.pptx, as well as .pdf and music files .mp3/.mp4 and image files .jpeg/.png or executables like .exe, .js, .zip, .html.

Scammers will often use these types of files and executables as they are so common to entice you to click on an attachment. 

  1. Not Using 2FA

We already said that having a strong password is important for your email security, but it’s even better if you add another layer of security to your account through multi-factor authentication.

2FA, or two-factor authentication will protect your email account further by adding a security question, token, or a code that someone looking to get into your email account will also need to know in addition to the username and password.

Let’s say, for example, that you forget your email password. So you can’t log in. Fortunately, you can click the “forgot password” link and if you have a recovery email, it will be sent to that email. 

But what if somehow a hacker got hold of your username and/or password? By adding an extra factor you can stop them from getting control of your account as they will need the code/token that you just received on your other email or device.

  1. Unsubscribing From Email You’ve Never Subscribed to

One clever tactic that spammers use is to leave an unsubscribe link in their email. This not only makes their email a little more professional-looking and can trick people into believing they are a legitimate company, but it might also lead folks to believe that, by clicking “unsubscribe”, the spammer will leave them alone for good.

Of course, that’s the furthest from the truth you can get. By unsubscribing, you are only letting the spammer know that your account is active and as a result, they will keep sending you more and more email spam. 

What you need to do instead is delete the email without clicking on anything or replying or, if they are persistent, block the address completely.

  1. Not Using Spam Filters

Filters are a very useful way to clean up your inbox from spam. 

For instance, you can set up a custom filter in CTemplar if the subject line starts with or contains certain words like “free upgrade” to automatically move that email to the spam folder.

Custom filter

You can set custom filters in CTemplar by going to Settings > Filters & blocked addresses > Add custom filter.

  1.  Not Making Sure if the Sender’s Name and Email Address Match

Although it’s not a sure-fire way to know, if you receive an email from an individual (for businesses it will be different), their name and email username will most likely match unless it’s an anonymous email.

For instance, if the email is pete @gmail.com and the signature says Frank, that should turn on some alarms in your head.

  1. The Email Address Does Not Fully Match the Company it Claims to be From

Scammers will often pretend to be a legitimate company in order to get you to reveal your sensitive information. 

For example, they might claim to be from your bank and ask you for your account number or other financial information.

First of all, your bank will never ask you for this via email, so that should be your first red flag. The second is to look carefully if the email matches the company. 

Open your browser and search for how to contact your bank. If the email is not listed there, that’s another sign that someone tried to phish you. Never send your bank account information via email.

  1. Sending Personal and Other Sensitive Info Over Email

Email is a very convenient way to communicate online and it’s not intrusive like some other forms (meaning you can open and reply to it at your own time).

However, it’s not exactly what we would recommend using for sending personal or sensitive information. 

That goes even if the other side is someone you know and trust as there is always a chance that someone has “infiltrated” in your conversation and is monitoring it, like in a Man-in-the-Middle (MitM) attack.

  1. Using BCC Instead of CC When Sending Mass Email

If you need to send out a mass email, for example, to your employees or coworkers, you have two options. Blind Carbon Copy (BCC) or Carbon Copy (CC).

Always go for the Blind Carbon Copy over Carbon Copy.


Because BCC will make sure those in the email chain are not exposed to different kinds of cyberattacks and email spam by hiding their names and addresses, whereas, with CC, that’s not the case.

New Message
  1. Using Gmail for Sensitive Emails

You probably have a Gmail account and let’s be honest, it’s fine as a private account.

That is, as long as you don’t send out any sensitive info through it. 

Gmail doesn’t have much in terms of encryption, just the Transport Layer Security (TLS), meaning it encrypts your messages in transit, from one end (sender) to the other (receiver).

It does not, however, encrypt messages when they are on the email server (at rest), which is when an attack often happens.

  1. Failing to Delete Files in Cache

Your computer will most likely keep your browser history, including the passwords you used to sign in to different websites (including your email) somewhere in its cache.

While this often makes things easier and faster for the user who doesn’t have to remember all those passwords, it’s far from secure, especially if you are using a public network. 

Be sure to delete files in the cache regularly as someone can use your cache to gain access to your password-protected data, including your email account.

  1. Not Reporting an Email Breach (Even a Failed One)

Every data breach in your company should be reported and registered. This goes for failed email breach attempts that the user has spotted and has reacted to as well.

The reason for reporting a data breach internally is to make sure everyone in the company is better prepared for the next time a breach occurs. There’s always the “next time” when it comes to cybersecurity breaches.

  1. You Don’t Have a Plan in Case of an Email Breach

What happens in your company when a cyberattacker manages to breach your email? 

Do you even have a plan for this type of scenario?

You should have a data breach response plan that includes an email breach response plan as well.

This is a roadmap you can follow when a breach happens (or is discovered) and it should contain:

  1. Not Using Digital Signatures

You probably noticed that some emails contain a different signature than usual. A digital signature is a good branding opportunity, but more than that it adds legitimacy to your emails.

By using digital signatures, which are like a digital business card, your emails are much less likely to end up in a spam folder. They can contain:

  1.  You are Not Educating Yourself Enough on Email Security

Email security is constantly evolving and it always brings new challenges with it. 

Scammers, phishers, hackers and the like are constantly finding new ways to steal your data and you need to keep up with them or you’ll be caught by surprise next time.

The best way to do that is to constantly educate yourself. Read about email security, learn some email security best practices like:

There is no lack of material or excuse to not keep yourself informed on email and IT security threats. Read articles, books, watch videos, take a look at case studies and learn from both successful and unsuccessful data breaches to know how to respond when the time comes.

  1. You are Not Educating Your Workforce on Email Security Enough

You are just one man and IT security should not be put on just one man’s back.

Email security threats come both from the outside AND the inside, especially if your employees are not educated and informed enough about cybersecurity.

For instance, a lot of companies have a bring-your-own-device (BYOD) policy, which allows employees to use their own devices for work. This is a good practice when it comes to collaboration and productivity and also allows employees to access their email wherever they are, but it’s bad for security.

The more connected devices your email is accessible through, the greater the chance for a data breach. For instance, an employee might lose their cell phone, which can give access to their business email to someone else.

At the same time, a lot of data breaches don’t happen because of some ingenuity on the cybercriminal’s part, but rather because an employee was naive enough to respond. By educating your workforce better, you will ensure that there are fewer accidental data breaches in your company.

  1. Not Testing Your Email Security

Is your email security up to par? You might have anti-malware software, employ email security best practices, but how do you know if you haven't had an email data breach yet?

Well, there is a way to know if your email security plan works or not that doesn’t include having a breach. 

Send out a mock phishing or scam email to your employees and see how they respond. Do they follow email security best practices, check the email sender, scan attachments, report the breach attempt? 

Don’t think of this as a waste of time. A drill like this can actually save you time and money, so be sure to do it from time to time.

  1. Not Using Email Encryption for Important and Confidential Data

Granted, in one out of five emails you won’t have to use encryption as the email won’t contain any confidential or private data. But for that one email that does, it’s important to not rely on luck, but on email encryption instead.

By utilizing email encryption, you decrease the chances of someone other than the intended person intercepting and reading the contents of the email and abusing the data within it.

  1. Not Using Anonymous Email Enough

You don’t always have to reveal your real name in an email. In fact, there are situations where it is prudent to remain anonymous.

There are two main reasons why you might want to use an anonymous email.

Number one, you want to protect your own online privacy. We sign up to all kinds of websites and give out information about ourselves to them. Next thing, we forget all about those websites and that we ever signed up to them, but they still keep our information.

If you’re not sure that you won’t use the account regularly, but maybe just want to sign up to check it out only, there’s no point in leaving your personal info. Instead, use an anonymous email.

Another, much more serious reason to use an anonymous email is if you need to send out confidential information.

For instance, you might be a whistleblower or a journalist and you or your informant are in possession of some confidential documents. If you exchange these via regular email, you are likely to get caught and then you’ll be persecuted by the government.

However, if you use anonymous email security services, there’s much less chance that either of you will be discovered.

  1. Trusting Your Friends with Your Account Information

If there is one thing in which you should never trust your friends it is with your email account information. 

This is not to say that your friends (same goes for your family and coworkers) would abuse your email on purpose, but they may not know enough about email security as you do and might either become a victim of an email breach, or they might accidentally blurt out some of your personal or confidential data to a scammer.

It’s best not to take that chance.


 There you go. 27 biggest mistakes you can make when it comes to email security. I hope this article will help you be better prepared and keep your email account secure.

If you want to make sure that’s the case, be sure to sign up and start using CTemplar: Armored Email.