If someone gets into my email, I don’t care. So what if they read it? There’s nothing important there.
If this is something you might say, then you are risking a big, nasty surprise. Should someone gain access to your email account, reading your email is probably the last thing they will bother with. They can use your email account in other ways, ways they can profit from.
And, of course, what profits them is unlikely to benefit you.
For example, many services equate access to your email with proof of identity. Identity fraud is therefore a real and serious risk. Think of all those online accounts many people have, such as eBay, PayPal, DropBox, Twitter, Facebook, LinkedIn, Pinterest, iTunes. Most use your email address to prove you are you. If you lose access to your email address, you lose access to these services and all that is on them.
Worse still, the person who now has access to your email account also has access to these other services, and can edit or add things as if they were you.
Your first thought might be but my password for those sites is different, so if they get to my email they still can’t login as me on those other services. While you are correct that they don’t have your password, you have forgotten that they don’t need your password. Simply clicking on the 'forgot password?' link will send a new password to your email address, and of course they can read that. So now they know the password to those accounts, and you don’t.
Their ability to make your life unpleasant doesn’t end there. They can send emails to your friends and family, some of whom will open the email and act upon it, believing it to be from you. That email might harbour malware such as a virus, or trick the recipient into typing in their email address and password into a fake web site, perhaps giving unauthorised access to their bank account.
Depending on what other services you have registered with, the person who has taken over your email account may also be able to scrub everything from your phone, purchase items using your credit card from online stores, or even impersonate you in dealings with your bank.
This is not just speculation. All these things have happened, more than once. In fact, they happen so often that compromised email accounts are readily available for purchase on the electronic black market.
What to do?
Now you have some idea of the risks, what should you do about it?
Robust security involves a range of measures, but you can easily reduce the risk to your 'unimportant' email account by following a few simple rules.
Use a good password
Do not use the same password for multiple services
If available, turn on two factor authentication
Do not click on links in emails
If you do click on an email link, never enter a password or similar private information in the page that appears.
Read on for more detail about these points.
A Good Password
A good password need not be difficult to remember. You just need a little creativity. Here is an example.
Think of three or four nonsense sounds and write them down. If this is difficult, just think of the sorts of sounds we often call 'baby talk'. For example boh, depie, do
Decide on a rule about capitals. For example, the second letter is capital. This gives us bOh, dEpie, dO.
Now insert a number (perhaps your favourite number) somewhere. Such as bOh, 42, dEpie, dO.
Put them all together, and you have a good password that is partly pronouncable and easy for you to remember: bOh42dEpiedO
For an even better password, also add some punctuation, preferably not at the end. Perhaps bOh42dEpie!dO
The key point is to choose nonsense sounds that flow in your mind when you pronounce them so that you will easily remember them. But avoid common sounds and popular combinations such as doo, dah, dah.
Do Not Reuse Passwords
Even if you have a good password, if you use it everywhere then someone only needs to trick you once into revealing your password for one thing, and they will be able to access your email.
Of course, no one can remember all those different passwords, no matter how easy it may be to remember each one. So use a password manager, and take extra care to make sure its password is very good. "LastPass":http://lastpass.com is a popular online service that takes care of this for you. However my preference is to not put my passwords in the care of a third party. I use the cross-platform "B-Folders":http://www.jointlogic.com which allows me to synchronise my password database between my computer and my smartphone.
Typically when logging into a service you supply your username, plus 'something you know', namely a password. Two-factor authentication adds 'something you have' to the equation.
Exactly what the 'something you have' is will vary from one service to another. Common examples use a number texted to your mobile phone, or a small gadget that displays a number. In both cases the number is different each time, so if someone somehow records what you type in, they can’t use it themselves to log in as you later.
Many services are starting to offer two-factor authentication as an option. Consider turning it on.
Do Not Click on Email Links
Never click on a link in an email. It may look safe, but clever people can work out ways to make a link to their web site look like your bank.
For web sites you visit regularly, create a bookmark or favourite and always use that. This also avoids the risk of mistyping the address and thinking you are in the right place when you aren’t.
If you do click on a link in an email, perhaps because the email is from someone you trust, NEVER enter any passwords or other private information in the page displayed. Although you trust the sender, it is possible the sender didn’t really send the email, and you aren’t really viewing the web site you think you are.
Your email account is valuable, and should be adequately protected, even if it holds no private emails. The consequences of losing control of it can be expensive and time-consuming, thanks to the risk of online identity fraud once your email account is compromised.
While it is true that there is a long list of things you should do to make the risk as small as possible, just following a few simple rules will get you most of the way there. So if you haven’t already, go ahead and change your email password to something better. Check if your provider offers two-factor authentication and if so, consider turning it on. And remember to not click on links in emails!