Electronic mail (aka: e-mail or email) is a necessary evil for communications. It wasn’t always a seething pool of intermixed junk, marketing, phishing, and important communications. There is a way to control the madness.
There were independent systems using email starting in the 1960’s. By the mid 1980’s, LAN email systems emerged. I actually wrote an email application myself in the 80’s that worked over the LAN for a fortune 500 corporation. The format of the messaging, known as a Protocol, that has stuck to this day is the Simple Mail Transfer Protocol (SMTP). It wasn’t until 1994 that Webmail services were born. This opened the door for email communication between corporations, and with individuals. By the year 2000, email had gained ubiquitous status.
The problem with SMTP is that it is not encrypted. The contents can be read by passive monitoring. While it is possible to force encryption at the end points using TLS, it is not typically configured as Forced TLS so as to not reject most emails. Even if forced TLS is used on both sides of the communication, most email providers are not encrypting the emails while at-rest (meaning while sitting on your email providers servers). Additionally, if the user erroneously sends the email to the wrong recipient, they’ll see the message that’s not for their eyes.
If you use a single email address for everything and a hacker either uses passive monitoring to view emails sent to you while in transit, or they’ve gained access to the email server having all the emails retained by you, then imagine what they now have at their fingertips. Your network of friends, address books, probably birthdays, medical information such as doctor appointment reminders and prescription refills, all the corporations that you do business with (bill reminders, marketing services), where you shop, your political affiliation, travel confirmations, and the list goes on. With this single email address, they are able to build a profile ABOUT YOU. And, with this profile, they are armed and ready to impersonate you. They call the financial institutions you do business with, and then redirect cards and funds to themselves. Or they open new credit in your name.
You can make their job nearly impossible by using multiple email accounts. These are just some of the advantages to using multiple email addresses, each for different purposes:
- Confounds a nefarious actor. The email address is a primary signature to link you to all your internet activities, finance, medical, and shopping.
- Decouples a link between you and all the businesses you interact with. If different email addresses are used for different businesses, it becomes much more challenging to phish you with realistic looking solicitations.
- Decouple a link to your network of friends and family.
- Compartmentalizing your digital life by email address provides you visibility into which companies leaked your email address and provides an easy way for YOU to kill the email address and reestablish a new one (effectively, ending the SPAM).
When you send snail mail (i.e., the old fashion method of using the Postal System), the outside of the package or envelope has critical data to help route the message. Emails have much the same thing in the way of metadata. Metadata for email is the senders email address, the recipient (or multiple recipients) email address, date sent, email subject, and then data attached to the message which is (for the most part) hidden from you such as the IP address you’re sending from and where it’s going, the email service provider you’re using, the email service provider your recipients are using, etc.
As most email is sent unencrypted, it’s like sending the message on a postcard, where anyone can read it along its journey (or even in storage depending on the email provider).
The metadata alone is valuable information to a nefarious actor. If all your internet activity uses the same email address, this tells a person who you’re doing business with, who you are communicating with, what the subjects are, and when you’re sending these messages.
The way to discombobulate the nefarious actor is to use multiple email accounts, separating personal and business, separating banking from shopping, separating shopping from shipping.
Like unique passwords for every website of which you have an account, this Tip adds a little bit of pain on your part while creating significant barriers that make life miserable for the hackers. With the use of a Password Manager, you’re already using the tool to get the password; thus, it’s merely one additional click to also fetch the user id/email address for the account.
Think about this…
If you saw a billboard on the road that had a password on it such as [0_tbTS-{qB49, it would have no meaning to you. If you identified it as a password, it could belong to 1 of a billion plus people and then if you had figured out which person, then which website does it go to? It’s just useless by itself. But, if on the billboard you saw an email address, like john.doe@gmail.com, suddenly it’s a useful piece of information.
The most secure approach to email addresses is to use a unique email address for every business and contact. You can certainly do this, but you also may find it overwhelming.
Some of the options available to you are as follows:
AnonAddy:
The AnonAddy service forwards emails sent to your alias addresses to your real email addresses. This way, you only need to monitor your real email account(s). And, if you want to cut someone off, you use your AnonAddy service to inactivate or delete the email address.
A big advantage to this service is that you can use Custom Domain’s. This means if you buy a domain name, you can create any email address you want @ that domain name. For example, if you buy domain example.com and your name is Jane Doe, you could have the email address jane.doe@example.com. You can also use any other name @example.com such as Love.Shopping@example.com.
This service is boasted about on YouTube, but I do not recommend it for the below reasons…
Disadvantages to this service:
AnonAddy is a known anonymizer service. As a result, some websites will not accept it as a matter of policy. If you use a custom domain, you will not have this problem. Also, the “Hide my Email” below doesn’t have this issue because it uses @icloud.com which is a broadly accepted email domain.
AnonAddy’s biggest problem is that it was created and is run by one guy. If he dies, then you’ll only have so much time to change all your email addresses.
Hide my email:
Apple’s icloud.com email has a service called “Hide my Email”. If you subscribe to their cloud plus plans starting at 99 cents per month (maybe for additional storage), then the “Hide my Email” service is available. If using iPhone, this is found in Settings upon opening iCloud.
The Apple “Hide my Email”, like AnonAddy, is known as an email anonymizer services. The email address might look like 7dff_dkfj_3454_t137@abc.com for one store, and t377_hyid_3rj9_nbet@abc.com for another.
Disadvantages:
- If faced with needing to give your email address without easy access to your phone or computer, you don’t have something to give them.
- You are forced to use the email addresses randomly selected for you by the App. As a result, they are not easy to remember.
Using +Alias:
Some email providers allow you to create an Alias address via a plus sign. For example, your email address might be SomeOne@protonmail.com. To use an Alias, just add a + sign and the alias name you want. So I could give Walmart an email address of SomeOne+Walmart@protonmail.com and CVS an email address of SomeOne+CVS@protonmail.com. The advantage of an Alias is you DO NOT need to create an email address for the alias. Anything after the plus side is consider the Alias name. If that alias gets out of control (SPAM), then you can add a filter to purge emails coming from that alias.
Disadvantage:
- Some websites do not allow you to use a plus sign in the email address (making this option only a partial solution).
- You’re not fooling anyone! Bad actors already know that they merely need to modify the email address to delete the plus sign and other characters preceding the @ sign. However, it does create an extra barrier the conniving thief has to hurdle.
SimpleLogin:
Acquired by Proton, this service is similar to AnonAddy except without the one guy disadvantage. If using a custom domain, then there are no disadvantages to this service.
Some of the advantages:
- You can create an unlimited number of email addresses with the domain side of the email being one of nine of the SimpleLogin domains OR you can use a domain you own.
- If using one of their domains, they allow you to customize most of the email address except for the last 5 characters. For example, you might end up with .fam22@aleeas.com so you can then add your Jane Doe to it so it reads Jane.Doe.fam22@aleeas.com.
- For each alias (anonymized) email address you create, you can forward to any email address you own. For example, if you have 10 master email addresses set-up for category compartmentalization, you can have a unique email address for every friend or business and it will auto forward to the individual email address you establish.
- You can have your alias email address forwarded to multiple email addresses. For example, if you want your utility notices to go to both you and your spouse, you can have SimpleLogin forward to both email addresses.
- It allows you to send email using the Alias from your regular email service provider! Yes, you can reply to an email and SimpleLogin will convert the email sender to the alias name. And, remarkably, you can also originate the email from the alias if, within their app, you “Create reverse-alias”.
- If your emails service provider allows for PGP encryption, you can add the PGP public key to SimpleLogin and ALL the email forwarded to your real email system will be encrypted. While it’s not encrypted in-transit from the sender to SimpleLogin, the remainder of the trip to get it into YOUR email is encrypted and it will stay encrypted while it sits on the server. This removes most of the email risks.
The Balanced Approach
For this tip to work in real life, you need to balance practicality with real life situations. The most important thing to keep in mind is that you want to not cross use email addresses. If an email address is used for shipping, don’t also use it for online shopping. Otherwise, you undermine the entire purpose of using separate email accounts.
Having separate email addresses for everything may prove too impractical. So, I recommend a more balanced approach. The following is a comprehensive enough method:
- Most importantly, use a separate email address for shipping notifications (i.e., USPS, UPS, Fed-ex services). If the stores, financial institutions, and others are unaware of this address, then it’s not possible for nefarious actors to send emails to this address notifying you about changes to your shipping status which they sniffed off some recent activity. So, no magical links to open nefarious websites designed to steal your information. If email notices are received by any other email address but the shipping one, you know it’s fake.
- An email address restricted to Family & Friends. Ironically, these trusted people are a big risk because if any one of them has their email breached, their address book has some PII about you including your email address. Or, even if not breached, sometimes these trusted people thinking they are being nice decide to sign you up on a website they think you’ll be interested in. This triggers spam in the form of newsletters and marketing you never signed up for. Often sites resell the information as a source of revenue, giving you even more spam. Therefore, the use of aliases for friends, or categories of friends, is extremely useful to maintaining control of your electronic mail.
- One or more email addresses for Stores
- One or more email addresses for Social Media (Facebook, Linked-In, Twitter, etc)
- One or more email addresses for Services such as Utilities
- One or more email addresses for Financial Institutions (i.e. Credit Cards, Investment Firms, Banking)
Many email providers allow you to create multiple email addresses which can all be seen from the primary email account. Assuming your email provider allows for the creation of 10 email addresses, you could set up separate email address for:
- Shipping Services (UPS, FedEx, USPS, DHL) – assumes you’ve signed up for notifications on their websites.
- Professional Services (e.g., Plumber, Doctors, Dentists, Handyman)
- Financial Services (e.g., Banking, Investments, Insurance)
- Online Shopping Stores (e.g., Amazon, eBay, Best Buy, Lowes, Walmart)
- Social Media Accounts (e.g., Facebook, Twitter, Instagram)
- Friends and Family
- Professional Network (e.g., Employer, Clients, Vendors, former colleagues)
- Charities (some of these charities are not good at privacy, don’t have the funds to properly secure data, and often share with likeminded charities).
- Politics (sites are notorious for sending bulk emails at high frequency and sharing your email address with likeminded sites – so if you subscribe or donate to anything political, make sure you use a separate email address for this purpose).
Within each of these email addresses, you can use one of the four options I outlined above or maybe one you’ve found on your own.
Use a Password Manager
Store the full email address you used in your password manager so you remember which site uses which email address. This is especially important if the email address is the username for the website.
I am not advocating for AnonAddy as presented in the video. Even the creator doesn’t use it for every site, rather just the majority of sites he uses. I found SimpleLogin to be the best option. If you want me to make the choice for you, then it’s SimpleLogin. You will not be disappointed.
The bottom line
Don’t marry yourself to a single email address. Try and compartmentalize your digital life, segregating emails to those buckets. A hybrid approach using the methods discussed here is the most likely approach to work best for practical use. The diversification helps to confuse hackers. If they have your social media accounts email, they’ll wonder why they don’t see any banking traffic on that email. Let them wonder. It’s none of their business!