Email Security Best Practices to Avoid Password Hacks in Gmail

Email security best practices

Just as you want your home, vehicle, and devices to be safe, email security best practices help you keep your inbox out of the grips of hackers and other bad actors in the data world. Email security can seem daunting, but it doesn’t have to be.

Email security best practices are essential. Cyber attacks are relentless and always evolvingand email security is no easy business. (Yes, it’s time for some scary numbers, but feel free to skip to the next paragraph.) During 2017 alone, says cyber-security firm Symantec, the average email user was receiving at least 16 malicious emails per month. Over half of all email sent was spam, and over 90 percent of malware was delivered through email accounts just like yours.

So, yeah, things like phishing attacks, malicious email attachments, ransomware attacks, and business email compromise (BEC) attacks are a big, big deal. If you haven’t heard the Reply All podcast episode on how smart people fall victim to phishing attacks, it’s worth a listen.

And the goal of many phishing attacks? To steal your password, so they can then access, steal, or hold hostage sensitive data, from your identity or money to company intellectual property and financial information. However, you also are not powerless. In fact, protecting personal information and company data can come down to you, humble email user.

Solid security starts before the email arrives and continues to what you do with your email account

Before a message arrives, email systems such as Gmail use many behind-the-scenes scanning technologies, malware detection programs, spam filters, and other email security systems to prevent malicious messages from ever reaching your inbox.

Just like Gmail, all company email systems should be going through a web security filter, says Tim Steck, owner of TBS Consultantsan IT services and security firm based in Oregon.

“We put all business client email through a filter,” says Tim. “It weeds out viruses, spam, and other malicious stuff.”

No filter or security system is perfect though. Just as today’s car makers build in safety features from automatic emergency braking to rear-view cameras, safe driving is ultimately up to the person behind the wheel. With cybersecurity, much of safeguarding email security and preventing data loss comes down to the individual going through their inbox.

“At the user level, we always recommend that they do not click on a link in an email when they aren’t one hundred percent sure it came from a legitimate person,” says Tim. “When in doubt, it’s best to call your IT expert and have them examine the email.”

There are other steps you can follow to keep your company email address, personal information, and sensitive information (such as Social Security numbers) safe and secure. 

“A lot of it is common sense,” says Tim. “Don’t open emails you don’t know. If it’s an email address you don’t recognize, delete the email.”

Password security: Set a strong password, change it regularly, and don’t share it

The key is to set a strong password and change it regularly, says Tim.

“On a server, we set policies to force password changes every thirty, sixty, or ninety days,” he explains. “Strong passwords should contain three out of four things: lower-case letters, upper-case letters, numbers, and symbols.”

They also shouldn’t contain obvious personal information (like names of your pets or family, hometown, alma mater, or your fave sports teams), the word “password,” or common letter/number substitutions (such as I/1, S/5, etc.) Typically a strong password should be at least eight characters, but when possible go long, such as at 16–30 characters.

Strong random password generator tools can help you create a strong password. Or, instead of a password, use a passphrase. Where a strong password can become a hard-to-remember combination of characters, a passphrase combines multiple words into something that can be both harder to crack but easier to remember.

Don’t share that password either. Sharing passwords increases vulnerability and the likelihood of getting hacked.

Enable two-factor authentication—as long as you can consistently use it

Current email security best practices also recommend using two-factor authentication (2FA for short, also known as multi-factor authentication/MFA). 2FA can take many forms, such as a text message or phone call with a code you enter, a physical fob or key that must be inserted into your device, or entering another piece of data that only you know.

However, 2FA can also become a hassle, requiring password resets or winding up with you locked out of your account.

“Two-factor verification and such can cause more problems than they’re worth,” says Tim. “People sometimes forget what they set, or they don’t have their phone or key with them, or they can’t get reception.”

Successfully using 2FA means being confident that you will be able to consistently perform the secondary function needed to access your account. When allowed in your system, also set redundant factors, such as a backup phone, code, or physical key, to give you options in the event you are unable to use your usual 2FA method.

“We give those options to clients, but they can take a lot of work to maintain,” says Tim. “There can be a lot of resources devoted to resetting passwords.”

Use unique passwords—and keep track of them all with a password manager

The average person now has over 90 online accounts—and each one needs a password.

Yeah, we’re not going to try to remember 90 unique passwords either.

Not only that, each account needs a unique password, not the same password used 90 times for convenience. If you re-use passwords (and most people do), a compromise on one account can quickly snowball into an avalanche of hacks, data breaches, and theft.

That’s where online password managers come into play. Essentially, services such as LastPass1PasswordDashlane, and Keeper provide secure online safes for your login credentials. Not only that, but these services can also generate strong passwords, sync them across your devices, auto-fill (saving you some typing), and update passwords for you.

Don’t open or act on unfamiliar emails or any email that seems suspicious

76 percent of organizations say they experienced phishing attacks in 2017. Phishing is where someone is trying to dupe you into clicking a link and entering personal information into what you think is a legit website.

Suspicious emails typically have a sense of urgency (such as claiming your account is about to be locked or deleted). They want you to enter some sort of sensitive information, such as your account credentials. The email address also won’t match the brand’s real address—though it might look similar. The more adamant the email seems that you send over your information, the more likely it’s one of the many phishing emails trying to steal your data.

Real services do not ever ask for your personal information via email. Period.

For this email security best practice, follow a simple rule of thumb: if an email is asking for personal or other privileged information, delete it. Do not click any links in the email. Do not download, open, or preview any attachments.

Delete it. Period.

Don’t click unsubscribe or reply to suspicious emails

If the email looks like it’s from a brand that you have an account with, delete the email, go to your browser, type in the URL for the site (or hit the link from your bookmarks), and log in directly. Unless you are expecting an email with a link—a list you know and trust, a confirmation for something you just registered for or ordered online, etc.—don’t click the links in emails. Don’t copy and paste links either.

Leaving links alone also extends to any innocent-looking “unsubscribe” links in that suspicious email. Clicking that only confirms to the hacker or spammer that your email address is legitimate—so they’ll start sending you more malicious junk. Same thing if you reply to the email, so don’t reply to suspicious emails either.

Only open attachments from trusted contacts—and still check those first

Attachments are one of the top ways hackers install malware, steal information, and compromise systems. If you are being wary of attachments, even from trusted contacts, you have a much lower chance of having your email hacked.

For starters, attachments should never be a surprise—and large files are a giant, flaming, screaming red flag. When an attachment comes through, it should be something that you knew would be on the way. If you have any doubt at all, don’t open the attachment. Instead, via a call, text, email, or quick face-to-face, verify whether or not the email and attachment are legit. After all, even trusted contacts can be hacked—and if that happens, some attacks use that compromised email account to send out malware, phishing attacks, ransomware attacks, and more.

If the attachment has a .exe extension, send the email to spam and notify IT. If opened, a .exe file will execute some sort of program—and it will be somewhere between bad and catastrophic.

Files such as Word and Excel can also contain malicious software, especially via macros. Only consider opening these files if you knew they were coming. Even files such as JPGs (images) and PDFs can be faked.

If an unsolicited attachment comes from someone you don’t know, just delete it.

Email security isn’t easy, but it is doable

Attacks on email continue to grow and change—but security continues to adapt too.

“That’s why you go through a good, reliable email security provider,” says Tim. “They get updated almost on the minute.”

While many aspects of email security are up to your email provider, much power is in your hands too. By using and changing strong passwords, leveraging password managers, not sharing your password, and being judicious about which emails and attachments you open or engage with, you are taking big strides toward a more secure inbox for you, and more secure data overall for your company and identity.

At the least, “make sure you know where emails came from,” says Tim. “If you have a strong password and change it often, generally you’re good.”

Posted in: Email

Anthony St. Clair

Anthony St. Clair

Anthony St. Clair is a business copywriter, author of the Rucksack Universe travel fantasy series, and a craft beer writer specializing in Oregon. Learn more at

Further Reading

Sharing Passwords Hurts Your Business—Do This Instead

Sharing passwords can hurt your business and puts your operation at risk. Here's a better way to collaborate via email without sharing…

Gmail for Your Business Email: Is the Paid Option Worth It?

It's tempting to use a free, personal email account for your business. But the truth is: Personal emails just don’t look…

Gmail Shared Inbox: Your Sharing Options Explained

Most businesses have at least one group email address like and sharing that Gmail inbox with multiple employees can…