For most people, webmail is their main personal account – used for everything from keeping in touch with friends and relatives to dealing with banks, government, shopping sites and other online services.
The ‘Big 3’ are Google’s Gmail, Yahoo! Mail and Microsoft’s Outlook.com (formerly Hotmail), and even two years ago it was estimated that they were sharing over a billion users.
Webmail is a prime target for cybercrooks so it’s vital we all keep our accounts as safe and secure as possible. Here are some of the most important steps to keep unwanted people out of your account.
1. Secure your password
The password is the basic standard of authentication, and by now we should all understand the importance of picking a good one, making it hard to guess and hard to crack, and not reusing it anywhere else.
Password managers can help with this, but your primary webmail account may well be one of those you keep in your own memory instead. It’s OK to write your password down, just make sure you keep the written copy safe. Whatever you do, avoid the old favourite of the post-it note on the side of your screen.
Don’t share it with social media sites – the likes of LinkedIn love to offer you “simple” ways of uploading your contact lists and other data to their systems, often for their own benefit as much as your own, and will try to persuade you to give them your password to get in. Just say no to such kind offers.
Learn to spot and avoid phishing attempts, and when entering your password via a browser make sure you’re at the right site with https enabled. Password managers can help with this, as they will refuse to fill in your password if you’re not on the right site.
Finally, make sure your password recovery/reset options are safe. You need your secondary email address or phone number to be as secure as possible, so ideally use a work email account (as long as you trust the security awareness of the IT admins at your place of work) and a personal mobile phone number which only you have access to.
Another common reset option is a “security question“. Make sure the answer you choose is not something that can be easily found out – your mother’s maiden name and your first school are not secrets, even the name of your first pet or your favourite type of pie may be easy to find out by digging through your social postings. Ideally, make your answer a nonsense passphrase which could never be guessed. Store it in a secure form such as a note in a password manager if you can’t easily remember it.
2. Toughen up your login with 2-factor authentication
Any decent provider should offer options for two-factor authentication (2FA). They sometimes call it “2-step verification”, or in the case of Yahoo! Mail, “second sign-in verification”.
Adding a second factor to the authentication process adds a much bigger hurdle for hackers to overcome. If they somehow get hold of your password they’re still no better off if you have 2FA enabled and they don’t have access to your secondary codes.
You can have your mail provider send a one-time code as a text or voice message every time you try to log in to your account. If you don’t have a mobile phone to which verification numbers can be sent via SMS, in some systems you can use a landline to receive codes as automated voice messages.
Some providers also offer the option to use a code-generating device or app to provide codes. Google’s Authenticator app is supported by both Gmail and Outlook.com – the app is available for most mobile platforms and also supports other services including Dropbox, Evernote, Facebook, Tumblr, WordPress and several password managers.
One main advantage of the authenticator app or a standalone code-generating dongle is that you can get codes even when you don’t have access to a phone network, or want to avoid phone charges. Google’s app has had some wobbles in the past, but is generally reliable and simple to operate.
To avoid the hassle of always needing a code, you can usually tell your webmail provider to trust a given computer once the initial code has been entered, so future logins on that machine will only require your usual password.
For devices and platforms that can’t handle a secondary code, like mail apps on mobile devices or mail client programs like Outlook or Thunderbird, one-off passcodes can be generated and used in place of your normal password. You should be able to generate a list of one-off codes which can be used if you lose your phone or get disconnected. Print them off and store in a safe place. Or, you can paste them into a file and encrypt it strongly.
3. Secure the devices you use to access webmail
You need to make sure your “trusted” devices are worth that trust. Keep your computers and mobiles well protected against malware intrusion, with quality security software that is properly configured and kept up to date.
Keep your operating system and all other software fully patched and up to date too, as you never know what routes may become available for bad guys to penetrate your defences.
Also make sure you have a screenlock and that it’s active whenever you leave your computer for more than a few moments or whenever your phone goes to sleep. Use the strongest passwords you can handle for both your computer login and your mobile screen lock, and keep those codes safe too.
Avoid using public machines to access your mail wherever possible. If you have to log in from a cybercafe or hotel, be very cautious, ensure 2FA is enabled first, and consider a password change once you’re back on safe ground.
If you’re using a trusted machine but an unknown connection, such as public wifi in an airport or coffee shop, consider using a VPN system to connect to the net through a secure tunnel – a range of online services are available, or you can even run your own VPN and connect safely via your own home from wherever you find yourself.
4. Check your settings and alerts
Check through all the settings every few months, and have a good look at the security and privacy sections. Look out for any changes that might have been made by malicious intruders or by the service provider in the course of an update or policy tweak.
It’s worth noting that for some services like Google or Outlook settings may be split between the email-centered options and wider account options, so you may need to look in both places.
If you’re worried someone may have intruded into your account, a good place to start is recent sign-on activity. Keep an eye on the details of recent logins, and make sure there are none from unexpected places.
Also check the auto-forwarding of emails to another account. If someone’s accessed your settings they may well have set this up, so check it for addresses you don’t know.
In some services such as Gmail, you can also grant full access to your account, including contacts as well as mails, to “delegate” accounts, websites or apps. This can be even more powerful than forwarding, and shouldn’t contain anything you don’t both want and need in there.
Get to know the full range of options offered by your provider, and consider how they could be abused. Watch for any unexpected changes.
5. Secure your content
One last thing to consider, especially relevant in the wake of the recent spate of celebrity photo thefts: Email accounts hang on to all sorts of information, buried in countless streams of conversation.
With large amounts of free storage, they also make a handy repository for things we don’t want to lose or forget.
Think about what goes into your emails. If you have anything especially sensitive that you wouldn’t want leaking to the world at large, maybe sending it via email (even just to yourself) is not the safest thing to do.
If you really have to send or store highly sensitive stuff, encrypt it well.