What is email security? Common threats and best practices

What is email security, and how do you achieve it? This detailed guide will help you establish full safety and privacy in your online communication.
According to IBM, the average data breach costs global businesses and organizations over $4.3 million. Since cybercriminals carry out most of these attacks through emails to individuals, learning how email security works is crucial for your protection.To answer the question, “What is email security?” you need a deeper understanding of how to achieve safety and privacy in email communication. This guide will help by exploring the most dangerous email threats and the technologies and best practices we collectively call email security.
Achieve security without breaking a sweatSkiff's rock-solid encryption and privacy-focused features provide a superior defense against email threats
Sign up

The biggest email security threats

Most hackers use the following techniques to compromise email accounts:
  • Data exfiltration
  • Spam
  • Brand impersonation
  • Domain impersonation
  • Malware
  • Phishing
  • Conversation hijacking
  • Business email compromise
Cybercriminals constantly improve their methods to stay ahead of cybersecurity professionals. As a result, it’s impossible to create a conclusive list of all email security threats—new ones appear every day.In practice, most criminals use a combination of common techniques. We’ll explore each one to help you understand what your email security is up against.

Data exfiltration

Cybercriminals conduct unauthorized data transfers via:
  1. Remote access to a network or device
  2. Physical access to a device
Data loss through remote access is more common, as it’s much harder for criminals to obtain someone’s device physically, especially if the target is a company or organization.The easiest way to obtain unauthorized remote access is via email because it’s the default communication method for professional correspondence. Criminals launch most email attacks to collect confidential data from the target, making data exfiltration one of the biggest email security threats.


Countless unsolicited emails arrive in our inboxes daily—according to Statista, around 50% of all emails are spam.Besides unwanted ads for shady businesses, spam messages may carry significant security threats. Here’s a breakdown of the most common issues junk emails can cause:
Spam-related problemDescription
Lower productivity Office workers lose valuable time filtering out numerous unwanted messages
Increased server trafficPrivate email servers have limited bandwidth. Incoming spam messages can quickly fill up the purchased server space
Malicious contentFrom phishing attempts to fraudulent business proposals and malware, spam can be used to deploy many email threats
Modern email service providers protect clients with advanced spam filters that automatically delete unsolicited messages. The problem is that these filters can be overly aggressive, often misidentifying and discarding legitimate emails as spam.

Brand impersonation

Cybercriminals deceive victims into disclosing sensitive information by pretending to represent well-known companies.Service impersonation is the most common subtype of brand impersonation. This attack targets existing product or service users by imitating the associated brand's customer service department.Criminals hiding behind fake email accounts use templates carefully designed to spoof the real brand and lead you to believe you’re communicating with their representatives. The goal is to obtain personal data, such as your:
  • Physical address
  • Credit card information
  • Phone number
  • Date of birth
  • Social Security number
  • Answers to security questions
Scammers sometimes include another step, such as a fake survey or a phishing website with forms asking you to enter sensitive data.

Domain impersonation

A key part of most online scams involving fake emails is domain impersonation. Hackers try to pass off fraudulent email domains as genuine addresses of:
  • Trustworthy institutions
  • Famous brands
  • Individuals from your contact list
The most common way to achieve it is through typosquatting. Hackers buy email domains that look almost identical to real addresses, except for one differing letter, similar to a harmless typo.Most recipients only glance over the senders’ email addresses, especially from familiar contacts—which is what hackers count on.For instance, genuine Microsoft support agents use the mail.support.microsoft.com domain, while hackers might use support.mail.microsoft.com or mail.support.microsoftt.com.
Source: Microsoft


Abbreviated from 'malicious software,' malware refers to different computer programs with one common trait—they harm your device and compromise your safety.You may unknowingly install malware with other software, such as browser toolbars or even fake antivirus software. Hackers still prefer email as a malware delivery method, as people are more likely to open an email link or attachment than download and install software from unknown websites.Here’s a quick guide to the most common types of malware:
Type of malwareDescription
TrojanMalware disguised as real software or attached to an altered version of a legitimate program
SpywarePrograms designed to gather data from your devices and accounts, such as passwords and personally identifiable information
WormViruses programmed to replicate and take control of entire networks by transferring themselves from one device to another
BotnetNetworks of previously infected devices, controlled by hackers remotely and used for further criminal activities
Adware Software created to deliver aggressive advertisements, not necessarily dangerous but damaging to your user experience
RansomwarePrograms that encrypt your files or restrict access to your device, forcing you to pay a ransom to the hackers responsible for the attack
Up-to-date antivirus software will lower the risk of being infected with one of these programs, but no solution guarantees 100% security as hackers constantly create new malware.


While phishing is a general term for any online scam involving criminals disguised as real individuals or entities, these attacks most commonly happen via email. The two other primary channels are:
  1. Text messages (smishing)
  2. Phone calls (vishing)
Domain and brand impersonation often involve phishing, but cybersecurity professionals recognize different types of phishing depending on their targets and techniques. The most popular subcategories of phishing attacks are:
  • Spear phishing
  • URL phishing
  • Lateral phishing
Unlike generic phishing attacks with millions of targets, spear phishing (also known as whaling) is an elaborate scam targeting a specific individual or company. In the latter case, hackers try to scam a key decision maker or stakeholder into revealing classified information or login credentials leading to high access.URL phishing is a crucial technique for domain impersonation, involving fake websites with prompts for gathering users’ banking details, login credentials, and other sensitive data.Contrary to most other email threats, hackers don’t use fake email accounts with lateral phishing.It’s one of the most potent forms of phishing due to its use of real email accounts that have previously been hijacked through malware or compromised via other phishing attacks. People fall for lateral phishing scams more easily because they come from legitimate email accounts.

Conversation hijacking

Once hackers gain control of a business email account, they will likely attempt conversation hijacking if the breach isn’t flagged immediately. The attackers go through conversations from the compromised account’s inbox, especially those related to payment procedures, banking details, and similar business operations.They continue the existing conversations and try to scam participants into providing confidential information. Like lateral phishing, conversation hijacking has higher success rates because it involves genuine email addresses.

Business email compromise (BEC)

This cybercrime involves several other hacking techniques, including spear phishing, domain impersonation, and sometimes malware.A BEC scam aims to get an employee to make an “urgent” money transfer to the hacker’s account. Criminals usually impersonate a real vendor of the target company or an executive with the power to authorize a transfer.More sophisticated attempts involve accessing an executive’s email account via phishing and contacting employees from the real address. Perpetrators often direct the funds to a cryptocurrency exchange and convert the stolen money, making it difficult to trace.The frequency of BEC scams had increased substantially during the COVID-19 pandemic when most office communication shifted to digital channels. According to the FBI, BEC incidents rose by 69% from 2019 to 2021.
Opt for comprehensive email securitySkiff's powerful encryption ensures your emails remain private, protecting them from common threats and vulnerabilities
Sign up

How email security works—best practices for protecting your email

No single security solution can provide complete protection, which is why you need to:
  • Create a strong password
  • Exercise caution
  • Use an end-to-end encrypted (E2EE) email service

How to create a strong password

A hard-to-crack password is your first line of defense against email attacks. It should be easily memorable for you but impossible for others to guess.To ensure your password is strong, you should:
  1. Use different passwords for all accounts
  2. Create longer passwords
  3. Avoid common words and personal info
Reusing passwords is a classic mistake that leaves your email account vulnerable. Using the same password for your online banking and email accounts is particularly risky. If you can’t memorize multiple passwords, consider a password management tool.Ensure your password is as long as possible but not gibberish that you won’t be able to remember. Here are a few suggestions:
  • Meaningful series of words
  • Book passages
  • Movie quotes
  • Poem lyrics
Never use passwords related to personal or publicly available data, like information from your social media. These include:
  • Pet names
  • Street names
  • Phone numbers
  • Important dates
  • Initials
  • Nicknames
It’s also a good idea to avoid common password patterns like:
  • 4321
  • 1234
  • abcd
  • qwerty
Turn on two-factor authentication (2FA) if your email service provides this safety measure. It will add another layer of security to your login process.With 2FA, login attempts with your username and password require additional confirmation to prevent others from accessing your account. The two factors in 2FA are:
  1. Your password
  2. A code, facial recognition, or fingerprint
The code or biometric request is usually sent to your smartphone after a login attempt. That way, even if someone cracks your password, they won’t be able to access the account without your device.

How to exercise caution in email communication

According to Verizon, over 80% of data breaches come from human error. No email security services will keep you safe if you don’t exercise sound judgment and elementary caution while sending and receiving emails.Unsolicited emails should always raise suspicion. Check all emails from unknown senders and unexpected messages from familiar contacts. While verifying senders, check their actual email address instead of the display name.Government institutions and organizations will never request login credentials and similarly sensitive information via email. If an email appears to be from one of these entities and asks for credit card numbers or passwords, it’s most likely a scam.
Source: IRS
Email attachments require additional caution because it’s easy to deliver malware through them. Before opening an attachment, consider the following questions:
  • Are you expecting the attachment?
  • Do you trust the sender?
  • Is their email address legitimate?
Other signs of malicious emails include generic greetings, poor grammar, and spelling mistakes. Look for these in any suspicious messages.Keeping your software updated will ensure you’re protected against the latest vulnerabilities, so make a habit of updating your operating system and antivirus programs.

Use an end-to-end encrypted (E2EE) email service

Encryption is the ultimate email security and privacy measure. It protects your messages by making them unintelligible to anyone but the intended recipient.Different email encryption protocols provide varying levels of security, mostly depending on two key points:
  1. When the encryption takes place
  2. Where the encryption keys are stored
Google, Microsoft, and other mainstream email service providers use the Transport Layer Security (TLS) encryption protocol by default. It encrypts your emails on the provider’s servers and stores the encryption keys there. This means that a server breach can lead to hackers getting the encryption keys and compromising your emails. TLS also protects your messages while traveling between servers but not while resting on them, which further endangers your email security.The only fully secure protocol is end-to-end encryption. Using a device-based approach, it provides complete safety and privacy between the sender and the recipient.With true E2EE, email encryption and key storing happen on your device outside the server, making any hacking attempt unsuccessful, even in case of a server breach. Anyone trying to intercept your email would be met with ciphered, undistinguishable text. Decrypting the message won’t be possible without the decryption key stored on the recipient’s device exclusively.Some industry giants offer E2EE, but only within their paid plans, and typically rely on less secure protocols like S/MIME. Only security-focused email service providers offer built-in E2EE.Skiff Mail is an excellent choice if you’re looking for a secure email service with the tightest safety and privacy protocols.

Skiff Mail’s security gives you peace of mind

Source: Skiff
Skiff offers device-based end-to-end encryption with two keys safeguarding your correspondence:
  1. Public key encrypts the message. It’s generated on the sender’s device and shared automatically with the recipient
  2. Private key decrypts the message. It’s generated on the recipient’s device and never shared with anyone, not even the email service provider
The result is complete email security and total privacy—far superior to mainstream email services.Unlike Google, Skiff does not:Skiff’s device-based encryption ensures no third parties could ever read your private conversations, including the email service itself. In contrast, Gmail scans 300 billion email attachments weekly to improve its AI tools.While Big Tech email services collect and process huge amounts of email data under the pretext of custom-tailored services, Skiff Mail helps you regain control of your online security.

Security and anonymity go hand in hand

Skiff’s Secure Remote Password protocol ensures you don’t have to provide personal information like your phone number or name when signing up, allowing you to remain anonymous. Skiff doesn’t store your login credentials on its servers—they remain on your device, giving you total control of your password.The platform also ensures anonymity through email aliases, allowing you to hide your real email address.As an additional security measure against phishing, Skiff supports 2FA via the Authenticator app. All you need to do is create a strong password, and your login information will remain secure.

Skiff’s E2EE workspace

Skiff is more than an email service. A free Skiff account grants you access to three other encrypted products that rival Microsoft Office and Google Workspace:For more details on Skiff’s security technology, check out the platform’s whitepaper. Skiff is open source and transparent, so its whole codebase is freely accessible on GitHub.

Sign up for Skiff for total email security

You can join Skiff in three simple steps:
  1. Go to the Skiff signup page
  2. Create a username and a strong password
  3. Start using the entire Skiff ecosystem for free
While all Skiff features are free, you can upgrade to one of the three paid plans for more email aliases, custom domains, and cloud storage. More information is available on the pricing page.

Join the community

Become a part of our 1,000,000+ community and join the future of a private and decentralized internet.

Free plan • No card required