Shared email addresses are riskier than you think

March 7, 2023
When you share your email, you’re opening up the attack surface to more cybersecurity risks, including ID theft and financial losses

If you’ve ever searched for something online, garden tools for example, and then noticed ads for garden tools hounding you all over social media, website banners, and more, you’re aware that advertisers and the companies that sell data to them already compile information about you. They use everything they can gather to create a profile of you and attach it to your identity. Advertisers argue that this makes their messages more relevant to you and, hopefully, more useful. Anyone who keeps seeing ads for garden tools months after they bought the one thing they needed may disagree.

When Sharing Isn’t Caring

This practice may be annoying but it’s not usually dangerous. More recently, however, bad actors have begun using a person’s email address to string together personal details like ethnicity, school affiliation, political leanings, and more to craft increasingly targeted phishing campaigns. (Phishing that uses personal details is called spear-phishing.) Since many different kinds of sites, platforms, and even offline entities (your doctor’s office, kid’s school, gym) require or request your email address, that one piece of data could be connected to so many other bits. For example, LinkedIn has details about your school, job, and ethnicity. If you use your name on your social media accounts, those may have your hobbies, employer, family member’s names, pets’ names, etc. It doesn’t take any hacking or special skills to uncover quite a bit of personal details. All these things can be connected together to form a profile of you, which can then be part of a social engineering attack. In this type of attack, a criminal uses social skills combined with their knowledge of you to trick you into divulging even more information such as account numbers, passwords, and other security details. The more criminals know about you, the easier it is for them to craft a spear-phishing appeal that might fool you.

Spotting Phishing

Phishing is the number one way that hackers gain entry into corporate and personal systems so it pays to know what to look for. These are common indicators of phishing attempts, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

●    Address is just a little off. The sender’s address may look legit at first glance since they often closely mimic a real company’s email address. But examine it carefully for a misplaced letter or two.

●     Impersonal greetings and signatures. Greetings such as “Dear Customer” or “Sir/Madame” are red flags for phishing. Similarly vague signatures without contact information should also be treated with suspicion. On the other hand, cyber scammers also sometimes try the opposite approach by being overly friendly or solicitous, using terms like “Dear One” or “Special Friend.”

●     Spoofed links. You can hover your cursor over links in the body of an email to see if the link matches what the text says it should be. If not, it’s spoofed. Another variation is similar to the email address being a little off but it’s the URL or web address that’s a little off. It could contain a variation in spelling, use .net instead of .com, or something similar. Also beware of addresses that have been shortened using services like TinyURL, Bitly, and Rebrandly. These are easily used to mask malicious URLs.

●     Unexpected attachments. Cybercriminals frequently include attachments in an attempt to dupe the recipient into downloading or opening it. The more urgent the request or the harder the sender tries to convey the importance of the information in the attachment, the more suspicious it is. Even if the email seems to be from someone you know, it’s always safest to contact them separately to confirm.

●     Sloppy work. Spelling, grammar, sentence structure, formatting, and layout mistakes or oddities could indicate phishing attempts. Legitimate organizations produce correspondence that’s usually error-free and sounds professional.

Employ a healthy dose of skepticism when confronted with unsolicited emails as well as phone calls and text messages. Unless you are certain of the other person’s identity, do not share personal or work-related information.     

Doing It Differently

Because an email address seems like a requirement to access so many places online, it may feel like this is an unavoidable risk. But that’s not always the case. There are some steps you can take.

  1. Be aware. Read the fine print and ask questions to understand how your email address will be used. It’s especially important to know if your address will be sold and if there’s a way to opt-out. Once it’s sold to advertising or marketing groups, it becomes part of your online profile so use any tools available to opt-out.
  2. Dig deeper. If you can’t avoid sharing your email, be conscious of how they will use your info, make yourself knowledgeable, and limit their use as much as possible. This often requires clicking through, reading the terms and conditions, and checking boxes. It may seem pointless but these are important steps to help protect yourself.
  3. Use multiple addresses. If you have to give an email address to access a site you only plan to use sparingly or that you know is going to generate spam, you can always use an alternate email address. If it doesn’t include your name or any identifying details, it can’t be part of a hacker’s profile on you. This is your chance to embrace a pseudonym for a helpful purpose.
  4. Give a protected address. Work or professional email addresses usually include an additional level of institutional security. Most IT departments employ safeguards to protect against spam, viruses, phishing, and other threats. Take advantage of this extra layer of protection, especially when you’ll be exchanging financial and other sensitive information.
  5. Ask about alternatives. Take the extra step of asking if you really have to provide your email address. Sometimes you don’t. Maybe a phone number works just as well. (Incidentally, this also works for your Social Security number.) It never hurts to ask.
  6. Be smart. For those times when you do have to give your primary email address, be sure to use one that contains as little personal information as possible. Don’t include your birthday, ethnicity, or anything else that could be used to learn more about you. Your personal data is so powerful - that’s why marketers spend a lot of money on it. Protect it like the valuable asset it is.
  7. Change settings. Use the settings on your phone and computer for maximum security. YouTube has plenty of videos that explain how to change the privacy settings for different devices and social media platforms. Just type in ‘How do I change the privacy settings for’ whatever device or platform you use. Eliminate as many ads and things you’re associated with as possible.
  8. Use tools. Antivirus and antimalware programs are great first-line defenses against hackers. Some also include a private VPN, which can protect your devices on public Wi-Fi. If you need to share files with someone, instead of email consider private messaging apps that use encryption. Services that protect against identity theft can also be useful. If your information was exposed in a large data breach, you will probably be offered a free year or two of this kind of service. You can also purchase it yourself or take advantage of offerings that come with credit cards and other financial accounts. Antivirus software may also be able to search the dark web and alert you if your information has been stolen. The website HaveIBeenPwned.com can also tell you if your email address has been exposed in a breach. If it has, it’s best to change your address.  

Using Good Cyber Hygiene

Hopefully,  everyone is already using good cyber hygiene. If not, now is the time to start. Here are four simple ways to increase your online safety, according to CISA.

●     Turn on multi-factor authentication (MFA). This will send a unique one-time code to your phone. Entering the code allows you to sign in, helping to protect your account in case a malicious person obtains your password.

●     Turn on automatic updates so your software remains current. Running old, unsecure programs leaves the door open to hackers.

●     Avoid links. Nearly all successful cyberattacks begin with a phishing or spear-phishing email, so don’t click a link unless you’re absolutely positive it’s safe. Contact the sender or visit the company’s website to be sure.

●     Use strong, unique passwords. Always change the password if one is provided to you, never use the same password for multiple accounts, and make your passwords strong. The best practice is to use a password manager to generate and store strong, unique passwords for you.

Other common suggestions include limiting the personal information you share on social media, making sure you see the locked icon in website URLs before entering any information and avoiding social logins such as “sign in using Google” or “log in with Facebook.” While it seems convenient, this practice is the same as reusing passwords, which just makes a hacker’s job easier. 

Reporting the Crime

Sometimes the worst can happen despite precautions. If that happens, you can help others avoid a similar fate by reporting what happened. Sharing information might also lead to officials catching or shutting down the perpetrators.

Report email scams, phishing, ransomware, and other forms of online crime to the FBI’s Internet Crime Complaint Center (IC3). The form will ask for specifics, so just fill in everything you know.

Report phishing scams, along with spear-phishing, smishing (phishing via text), and vishing (phishing via voice line) to Homeland Security’s United States Computer Emergency Readiness Team (US-CERT). Call 888-282-0870 or visit US-CERT.gov. You can forward phishing emails there or through [email protected].

The Federal Trade Commission (FTC) has reporting and recovery resources for those affected by identity theft at IdentityTheft.gov. Fraud can be reported to ReportFraud.FTC.gov. If you suspect someone is using your Social Security number, use the FTC link above or call the Social Security Administration at 800-269-0271.

Staying Sane

It’s a simple fact of life that no one is 100% safe all the time. Daily living naturally involves risks, whether you’re sitting at home, driving down the street, or browsing online. Of course, you could eliminate the cyber risk by avoiding the internet altogether. But where’s the fun in that? The best anyone can do is to be aware, take precautions, and do their best. Using the tips, tools, and techniques discussed here should at least make you safer than before you read this. The more you know, the better you’ll be able to protect yourself from bad actors.

About the author: Dr. Brian Gant is an Assistant Professor of Cybersecurity at Maryville UniversityDr. Gant is a security executive professional with over 18 years of Corporate and Federal Government experience in analytics, threat intelligence, critical infrastructures and executive protection.
About the Author

Dr. Brian Gant | Assistant Professor of Cybersecurity at Maryville University

Dr. Brian Gant is an Assistant Professor of Cybersecurity at Maryville University, with Executive professional with over 18 years of Corporate and Federal Government experience in analytics, threat intelligence, critical infrastructures and executive protection.