Security - Software - Email - Computer Screen

Email is Insecure – Here’s How to Improve Email Security

Intro

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil.

In this episode, we provide seven recommendations for how to use email somewhat securely. Of course, due to email’s inherent design limitations, you can only use it securely to a limited extent, but some security is better than no security. These recommendations are:

  1. Reducing your reliance on email (Signal, Session, Syncthing, OnionShare, etc.)
  2. Using encrypted email providers like Proton Mail or Tutanota
  3. Enabling more secure multi-factor authentication (MFA/2FA) options
  4. Using your email provider’s native app on mobile
  5. Controlling your email address, emails, and other data like contacts
  6. Dealing with potentially-malicious attachments
  7. Being vigilant with email links

Podcast

1
00:00:00,000 –> 00:00:14,000
Hey everybody, welcome back to the Bigger Insights Privacy & Security podcast, where

2
00:00:14,000 –> 00:00:16,840
we’ll help you live a more private and secure life.

3
00:00:16,840 –> 00:00:22,600
In the previous episode, we explained why email is insecure by detailing just some of

4
00:00:22,600 –> 00:00:27,000
the many privacy and security issues inherent to email.

5
00:00:27,000 –> 00:00:31,280
So if you haven’t listened to that episode, make sure you check it out because we’ve learned

6
00:00:31,280 –> 00:00:36,560
over the years that people don’t really care about privacy or security unless you can first

7
00:00:36,560 –> 00:00:41,800
make it clear what the issues are and how that can create a problem for you.

8
00:00:41,800 –> 00:00:46,420
In this episode, we’re going to focus on how to improve email security.

9
00:00:46,420 –> 00:00:51,800
Of course, if we had it our way, email would either be redesigned with privacy and security

10
00:00:51,800 –> 00:00:56,960
in mind, or we would just stop using it, but that’s obviously not realistic.

11
00:00:56,960 –> 00:01:01,840
Because so many people and organizations rely on email, it’s worthwhile to learn how to

12
00:01:01,840 –> 00:01:03,760
use it more securely.

13
00:01:03,760 –> 00:01:06,760
It’s a necessary evil is what I’m trying to say.

14
00:01:06,760 –> 00:01:11,080
Also just imagine how much damage someone could do to you if they got ahold of your

15
00:01:11,080 –> 00:01:14,480
emails or even took over your email account.

16
00:01:14,480 –> 00:01:19,200
If someone is able to get into your email account, they can pretty much assume your identity

17
00:01:19,200 –> 00:01:24,280
online, which would allow them to scam your friends and family, take over your other accounts

18
00:01:24,280 –> 00:01:27,560
like your bank and mobile phone accounts, and so on.

19
00:01:27,560 –> 00:01:32,160
If there’s one account that you definitely want to maximize security on, it’s the email

20
00:01:32,160 –> 00:01:36,880
account that you use for your bank, social media, and other accounts that are important

21
00:01:36,880 –> 00:01:37,880
to you.

22
00:01:37,880 –> 00:01:42,800
And by the way, for those privacy enthusiasts among us, the next episode is going to focus

23
00:01:42,800 –> 00:01:46,240
on email privacy, so stay tuned for that.

24
00:01:46,240 –> 00:01:50,520
If you’re not familiar with our work, one of the things we do is one-on-one privacy

25
00:01:50,520 –> 00:01:52,840
and security consulting.

26
00:01:52,840 –> 00:01:58,000
Literally as I was planning this episode, a client sent me a copy of an email waiver

27
00:01:58,000 –> 00:02:00,800
that he received from a healthcare provider.

28
00:02:00,800 –> 00:02:06,200
I’m going to read a few passages from this to help make this more concrete, because sometimes

29
00:02:06,200 –> 00:02:11,320
when I talk to people about these issues, they seem to not take it very seriously until

30
00:02:11,320 –> 00:02:16,680
they see them in black and white from someone like their doctor, lawyer, or whomever.

31
00:02:16,680 –> 00:02:22,640
All right, the waiver says, quote, “To comply with HIPAA regulations,

32
00:02:22,640 –> 00:02:28,520
email correspondence that contains protected health information (PHI) must be sent encrypted.

33
00:02:28,520 –> 00:02:34,000
If you wish to have unencrypted emails sent to you for the sake of convenience, you must

34
00:02:34,000 –> 00:02:36,160
sign the following waiver.

35
00:02:36,160 –> 00:02:43,960
I, PATIENT, request for my convenience, PROVIDER, correspond with me by unencrypted email to

36
00:02:43,960 –> 00:02:47,280
relay information concerning [REDACTED].

37
00:02:47,280 –> 00:02:51,880
I understand that emails sent to me contain protected health information.

38
00:02:51,880 –> 00:02:57,840
I further understand that unencrypted email and email attachments are not secure and may

39
00:02:57,840 –> 00:02:59,960
be viewed by others.

40
00:02:59,960 –> 00:03:08,000
I agree to hold harmless PROVIDER, its officers, agents, employees, and contract health providers

41
00:03:08,000 –> 00:03:15,760
from any and all liability, loss, damages, costs, or expenses which are sustained, incurred,

42
00:03:15,760 –> 00:03:22,920
or required arising from the transmission of unencrypted email correspondence and attachments.”

43
00:03:22,920 –> 00:03:23,920
end quote.

44
00:03:23,920 –> 00:03:27,800
So when you see something like that, you should reflect on it a little.

45
00:03:27,800 –> 00:03:32,440
Why is this provider telling me that my emails may be viewed by others?

46
00:03:32,440 –> 00:03:38,120
Why the legalese requiring that I hold them harmless just to receive some emails?

47
00:03:38,120 –> 00:03:42,760
It’s because despite the fact that we all want to believe that our emails are private

48
00:03:42,760 –> 00:03:46,040
and secure, they’re not. They’re just not.

49
00:03:46,040 –> 00:03:50,520
All right, so what exactly should you do about this?

50
00:03:50,520 –> 00:03:56,360
First of all, understand that there’s really only so much you can do to use email securely.

51
00:03:56,360 –> 00:04:00,600
Don’t take that to mean that there’s nothing you can or should do, just that there will

52
00:04:00,600 –> 00:04:04,320
always be risks associated with using email.

53
00:04:04,320 –> 00:04:09,920
After all, no matter what you do, you can’t stop your accountant, for example, from emailing

54
00:04:09,920 –> 00:04:15,480
you your tax returns, or even the wrong person, from their Yahoo account.

55
00:04:15,480 –> 00:04:20,600
So the first thing we recommend is that you reduce your dependence on email.

56
00:04:20,600 –> 00:04:25,880
Every email you send presents some level of risk, perhaps not to your security, but at

57
00:04:25,880 –> 00:04:27,720
least to your privacy.

58
00:04:27,720 –> 00:04:33,040
We generally try to communicate with our clients, friends, and family through instant

59
00:04:33,040 –> 00:04:35,320
messengers Signal and Session.

60
00:04:35,320 –> 00:04:41,440
But if we need to send large files, we can use Proton Drive, Syncthing, OnionShare,

61
00:04:41,440 –> 00:04:43,480
or something along those lines.

62
00:04:43,480 –> 00:04:47,640
For file attachments, we sometimes also use Proton Mail.

63
00:04:47,640 –> 00:04:52,820
But the nuance there is that we would make sure that that email is end-to-end encrypted (E2EE).

64
00:04:52,820 –> 00:04:57,920
If the recipient is not using Proton Mail, we can send them a password-protected email

65
00:04:57,920 –> 00:05:03,360
portal that self-destructs, which basically allows them to access the email from within

66
00:05:03,360 –> 00:05:10,040
Proton, which bypasses the security risks posed by their sketchy email provider.

67
00:05:10,040 –> 00:05:14,560
And if you become a client, which you should if you know what’s good for you, we can sit

68
00:05:14,560 –> 00:05:18,240
down with you and show you how to use these tools as well.

69
00:05:18,240 –> 00:05:24,040
The second thing we recommend is using a respected, encrypted email provider, like Proton Mail

70
00:05:24,040 –> 00:05:25,560
or Tutanota.

71
00:05:25,560 –> 00:05:30,840
There may be others out there, but we’re most familiar and comfortable with these services.

72
00:05:30,840 –> 00:05:36,040
And by the way, we have no sponsorships or affiliate agreements with either of these

73
00:05:36,040 –> 00:05:41,440
companies, nor have they asked us to promote them as of the time of this recording.

74
00:05:41,440 –> 00:05:45,960
We’re just mentioning them because we like their services and think that if you are concerned

75
00:05:45,960 –> 00:05:50,040
about the security of your emails, this is a great place to start.

76
00:05:50,040 –> 00:05:53,560
We’ll probably go into this in more detail in a future episode.

77
00:05:53,560 –> 00:05:58,260
But basically the way these email services work is as follows.

78
00:05:58,260 –> 00:06:04,240
When you send or receive an email from within their system, say from one Proton account

79
00:06:04,240 –> 00:06:08,160
to another, they’re end-to-end encrypted by default.

80
00:06:08,160 –> 00:06:13,600
When you send or receive an email from another provider, like Gmail, for example, those emails

81
00:06:13,600 –> 00:06:18,400
are encrypted at rest in your account using your keys.

82
00:06:18,400 –> 00:06:22,860
Now that’s important because what that does is prevent their employees from reading your

83
00:06:22,860 –> 00:06:28,640
emails, being forced to hand them over to the government or being leaked in a data breach.

84
00:06:28,640 –> 00:06:33,360
However, just bear in mind that that only applies to your account.

85
00:06:33,360 –> 00:06:39,640
If you’re emailing a Yahoo account, for example, Yahoo will have an unencrypted copy of that

86
00:06:39,640 –> 00:06:40,640
email.

87
00:06:40,640 –> 00:06:42,800
But this is still better than nothing.

88
00:06:42,800 –> 00:06:49,040
In this case, if you’re using Gmail instead, Yahoo and Google would both have an unencrypted

89
00:06:49,040 –> 00:06:55,400
copy of that email. And the more people that we can get to switch to more privacy-respecting

90
00:06:55,400 –> 00:06:58,720
email providers, the better off we’ll all be.

91
00:06:58,720 –> 00:07:03,920
Now we’re not going to go into detail on this, but if you insist on using an email provider

92
00:07:03,920 –> 00:07:09,400
that’s less secure, you can also use PGP to encrypt the body of your email, but that’s

93
00:07:09,400 –> 00:07:11,120
a separate discussion.

94
00:07:11,120 –> 00:07:15,840
The third recommendation is to make sure that you have good multi-factor authentication

95
00:07:15,840 –> 00:07:17,720
(MFA/2FA) options enabled.

96
00:07:17,720 –> 00:07:24,480
What I mean by “good” is using the more secure options like security keys and TOTP.

97
00:07:24,480 –> 00:07:31,400
We generally recommend against using SMS because SMS, and basically the entire phone system,

98
00:07:31,400 –> 00:07:34,500
is also incredibly insecure.

99
00:07:34,500 –> 00:07:39,960
So if someone SIM-swaps you, for example, and your email account can be recovered through

100
00:07:39,960 –> 00:07:44,840
SMS, now they can get into your email account and lock you out of it.

101
00:07:44,840 –> 00:07:51,560
If an email provider either doesn’t offer security key or TOTP multi-factor authentication,

102
00:07:51,560 –> 00:07:58,160
or if they require something lame like SMS, we would recommend finding another provider.

103
00:07:58,160 –> 00:08:03,480
The fourth recommendation is that, if you’re going to use email on your mobile phone, you

104
00:08:03,480 –> 00:08:09,320
should use your email provider’s native application, not the mail application that comes with your

105
00:08:09,320 –> 00:08:10,800
operating system.

106
00:08:10,800 –> 00:08:11,800
Why?

107
00:08:11,800 –> 00:08:13,860
Well, just think about what you’re doing.

108
00:08:13,860 –> 00:08:18,240
When you use a third-party application for your email, you’re increasing your attack surface

109
00:08:18,240 –> 00:08:22,400
by introducing another party into your communications.

110
00:08:22,400 –> 00:08:27,480
If you are going to use a third-party application, you should read through the privacy policy

111
00:08:27,480 –> 00:08:31,040
and do your best to understand what exactly it’s doing.

112
00:08:31,040 –> 00:08:34,800
For example, is it storing your emails on their servers?

113
00:08:34,800 –> 00:08:36,760
Perhaps. Perhaps not.

114
00:08:36,760 –> 00:08:40,920
But we say just skip that risk and go straight to your provider.

115
00:08:40,920 –> 00:08:45,800
Even if you use something more invasive like Gmail, it might still make sense to use the

116
00:08:45,800 –> 00:08:50,440
official Gmail app over the iOS Mail app, for example.

117
00:08:50,440 –> 00:08:56,480
With regard to iOS Mail specifically, it has had multiple vulnerabilities in the past where

118
00:08:56,480 –> 00:09:03,440
an attacker could remotely compromise a iPhone or a iPad with zero-click exploits,

119
00:09:03,440 –> 00:09:06,760
which means that no user interaction was required.

120
00:09:06,760 –> 00:09:12,160
I mean, just imagine for a moment someone taking control over your iPhone while you’re

121
00:09:12,160 –> 00:09:15,120
sleeping and not even noticing.

122
00:09:15,120 –> 00:09:18,520
That’s pretty terrifying, but that’s the risk you take.

123
00:09:18,520 –> 00:09:23,600
For me personally, I used to use a iPhone before I knew what was good for me. But once

124
00:09:23,600 –> 00:09:27,480
I started wising up, I actually uninstalled the Mail app.

125
00:09:27,480 –> 00:09:32,960
Now, in fairness, the Proton or Tutanota apps could also have a vulnerability, but

126
00:09:32,960 –> 00:09:38,680
high-profile attackers tend to focus on larger targets like Apple and Google because the

127
00:09:38,680 –> 00:09:40,840
payoffs are generally higher.

128
00:09:40,840 –> 00:09:45,960
I mean, compare the number of people with the iOS Mail app on their phone versus Proton

129
00:09:45,960 –> 00:09:47,880
Mail or Tutanota.

130
00:09:47,880 –> 00:09:52,840
Also keep in mind that Proton and Tutanota’s apps are open-source, so they may be less

131
00:09:52,840 –> 00:09:59,080
likely to have serious vulnerabilities than proprietary alternatives like iOS Mail.

132
00:09:59,080 –> 00:10:04,620
The fifth recommendation is about controlling your email address, emails, and other data

133
00:10:04,620 –> 00:10:06,120
like contacts.

134
00:10:06,120 –> 00:10:09,000
First, consider using your own domain name.

135
00:10:09,000 –> 00:10:13,160
I’m not talking about hosting your own email – just the domain.

136
00:10:13,160 –> 00:10:18,360
So you can go to a registrar and register your own domain name and then go to Proton,

137
00:10:18,360 –> 00:10:23,560
Tutanota, Gmail, or whomever and use that for your email addresses.

138
00:10:23,560 –> 00:10:28,440
You’ll obviously have to pay to register your domain, which Porkbun will let you do for

139
00:10:28,440 –> 00:10:35,400
as low as $9.73 per year, I believe, and you’ll probably have to have a paid plan with your

140
00:10:35,400 –> 00:10:36,960
email provider.

141
00:10:36,960 –> 00:10:43,800
For Bigger Insights, we have the domain biggerinsights.com, which we set up in Proton Mail. And you

142
00:10:43,800 –> 00:10:46,200
don’t have to be a business to do that.

143
00:10:46,200 –> 00:10:47,400
Anyone can do this.

144
00:10:47,400 –> 00:10:52,160
The advantage of doing this is that you control the email address itself.

145
00:10:52,160 –> 00:10:58,600
So if, for whatever reason, your email provider shuts down your account or they shut down,

146
00:10:58,600 –> 00:11:00,480
what happens to your email address?

147
00:11:00,480 –> 00:11:06,120
Well, if your email address is using their domain, like gmail.com, for example, it’s

148
00:11:06,120 –> 00:11:07,120
gone.

149
00:11:07,120 –> 00:11:08,880
You ain’t getting that back.

150
00:11:08,880 –> 00:11:13,720
That can be a huge issue because you might try to log into something like your bank account

151
00:11:13,720 –> 00:11:18,400
and they might say, “Okay, great. Click on this verification link that we just sent to your

152
00:11:18,400 –> 00:11:20,200
email address to continue.”

153
00:11:20,200 –> 00:11:24,800
You see what I mean? How are you going to do that if you lost access to your email account?

154
00:11:24,800 –> 00:11:28,000
This doesn’t happen very often, but it is a risk.

155
00:11:28,000 –> 00:11:32,800
I think we mentioned this in an earlier episode, but there was a guy in California that emailed

156
00:11:32,800 –> 00:11:37,920
some medical images of his son’s groin to his doctor for a diagnosis.

157
00:11:37,920 –> 00:11:43,640
Google’s systems detected the groin-ness of these images and they permanently shut down

158
00:11:43,640 –> 00:11:45,400
this guy’s account.

159
00:11:45,400 –> 00:11:46,400
Ouch.

160
00:11:46,400 –> 00:11:51,240
Now, if he was using his own domain, he would still lose access to whatever data was in

161
00:11:51,240 –> 00:11:56,680
Google’s servers, but he would at least be able to recreate that email address with another

162
00:11:56,680 –> 00:11:57,880
provider.

163
00:11:57,880 –> 00:12:03,440
So if we have a falling out with Proton, for example, we could just move our Bigger Insights

164
00:12:03,440 –> 00:12:07,600
email addresses over to another provider at any time.

165
00:12:07,600 –> 00:12:12,120
If you are going to use your own domain, make sure you use WHOIS privacy protection so

166
00:12:12,120 –> 00:12:15,280
that your information isn’t publicly visible.

167
00:12:15,280 –> 00:12:21,600
So when you register a domain, someone’s information has to be on the account and all this information

168
00:12:21,600 –> 00:12:23,040
is public.

169
00:12:23,040 –> 00:12:29,440
Most reputable domain registrars offer a WHOIS privacy service that replaces your information

170
00:12:29,440 –> 00:12:34,040
with proxy information, and you should take advantage of that unless you have some really

171
00:12:34,040 –> 00:12:36,840
specific reason for not using it.

172
00:12:36,840 –> 00:12:43,800
We might do a separate episode on this, but you should also set SPF, DKIM, and DMARC policies

173
00:12:43,800 –> 00:12:48,680
to cut down on spoofing and improve the chance that other email providers will trust your

174
00:12:48,680 –> 00:12:49,680
emails.

175
00:12:49,680 –> 00:12:53,760
And there are other details that are beyond the scope of this episode, but one should

176
00:12:53,760 –> 00:12:59,400
also consider setting the DMARC policy to reject emails that fail the other checks so

177
00:12:59,400 –> 00:13:04,520
that when someone does spoof your email, it gets rejected so the recipient never sees

178
00:13:04,520 –> 00:13:05,520
it.

179
00:13:05,520 –> 00:13:10,000
There’s also DNSSEC to consider, but there are some nuances there as well.

180
00:13:10,000 –> 00:13:15,400
Now, regarding the data, which is the second part of this recommendation, we suggest doing

181
00:13:15,400 –> 00:13:20,000
two things, regardless of whether you’re going to use your own domain name.

182
00:13:20,000 –> 00:13:24,880
1. Download and backup important emails as you receive them.

183
00:13:24,880 –> 00:13:29,600
You shouldn’t be using your email account to store the only copy of your important emails

184
00:13:29,600 –> 00:13:33,560
because again, you may lose access to your account.

185
00:13:33,560 –> 00:13:38,000
And if you’re good with managing and backing up your own data, you might also want to consider

186
00:13:38,000 –> 00:13:43,200
deleting those emails from your provider to reduce the risk of someone getting access

187
00:13:43,200 –> 00:13:44,920
to those in the future.

188
00:13:44,920 –> 00:13:50,360
2. Don’t store original contact information with your email provider, meaning that you

189
00:13:50,360 –> 00:13:55,640
should keep all of that data on your own systems in case you lose access to your account for

190
00:13:55,640 –> 00:13:57,200
whatever reason.

191
00:13:57,200 –> 00:14:02,640
So for me personally, I have my own local system for storing contact information and

192
00:14:02,640 –> 00:14:07,040
then I’ll put whatever subset of that I want in Proton.

193
00:14:07,040 –> 00:14:12,000
And finally, we obviously can’t finish an episode about email security without talking

194
00:14:12,000 –> 00:14:13,520
about attachments.

195
00:14:13,520 –> 00:14:19,520
Now, keeping your systems up-to-date and avoiding sketchy websites and applications is actually

196
00:14:19,520 –> 00:14:23,400
more effective from a security standpoint than you might think.

197
00:14:23,400 –> 00:14:28,960
The reason I say this is because if you follow the security news, a huge share of the security

198
00:14:28,960 –> 00:14:34,640
incidents, like ransomware and whatnot, originate from infected email attachments.

199
00:14:34,640 –> 00:14:38,840
So obviously, if you can avoid these, you’re going to improve your security dramatically.

200
00:14:38,840 –> 00:14:41,600
All right, so what should you do,

201
00:14:41,600 –> 00:14:47,600
you might be wondering? Well, for starters, like email in general, just rely less on email

202
00:14:47,600 –> 00:14:49,400
for sharing files.

203
00:14:49,400 –> 00:14:50,920
That won’t help you directly,

204
00:14:50,920 –> 00:14:55,320
but the more people that do this, the better off we’ll all be because this will make it

205
00:14:55,320 –> 00:14:58,960
easier to identify malicious emails.

206
00:14:58,960 –> 00:15:05,480
Among these lines, keep in mind that businesses, especially larger ones, rarely send out files

207
00:15:05,480 –> 00:15:06,480
as [email] attachments.

208
00:15:06,480 –> 00:15:11,280
I honestly can’t even think of the last time a business emailed me an attachment that

209
00:15:11,280 –> 00:15:14,920
I didn’t explicitly request or wasn’t expecting.

210
00:15:14,920 –> 00:15:17,280
It’s probably been years.

211
00:15:17,280 –> 00:15:22,400
Things like statements and other documents are usually stored in your account with them.

212
00:15:22,400 –> 00:15:28,200
So if you get one of those bogus UPS emails like, “Oh yeah, this is totally UPS and your

213
00:15:28,200 –> 00:15:36,120
package failed to deliver. Open the attached .pdf.exe file to see why.”, you should know that this

214
00:15:36,120 –> 00:15:40,800
is BS because companies like UPS don’t email things like that.

215
00:15:40,800 –> 00:15:46,080
But before you decide to download an attachment, ask yourself some questions to help assess

216
00:15:46,080 –> 00:15:47,760
the level of risk.

217
00:15:47,760 –> 00:15:49,600
Who is sending me this?

218
00:15:49,600 –> 00:15:51,480
Why are they sending me this?

219
00:15:51,480 –> 00:15:53,120
Was I expecting this?

220
00:15:53,120 –> 00:15:58,360
If this is what I think it is and I don’t open it, what are the consequences?

221
00:15:58,360 –> 00:15:59,560
Is the email spoofed?

222
00:15:59,560 –> 00:16:03,340
And we’ll talk about that in more detail in a future episode.

223
00:16:03,340 –> 00:16:07,360
But if you’re not sure, try to contact the sender through some other means, like on the

224
00:16:07,360 –> 00:16:10,840
phone for example, just to make sure it’s really them.

225
00:16:10,840 –> 00:16:15,760
And if you feel like you must download an open attachment, first of all, we recommend

226
00:16:15,760 –> 00:16:18,280
that you use Linux in general.

227
00:16:18,280 –> 00:16:23,640
It’s not foolproof by any means, but we would bet a lot of scrilla that the vast majority

228
00:16:23,640 –> 00:16:28,040
of malicious email attachments are designed to infect Windows.

229
00:16:28,040 –> 00:16:32,880
But in general, you should open email attachments in a virtual machine (VM) that’s disconnected

230
00:16:32,880 –> 00:16:34,380
from the internet.

231
00:16:34,380 –> 00:16:39,400
If you have antivirus, which is a whole separate discussion, you might as well scan it to see

232
00:16:39,400 –> 00:16:41,520
if your AV thinks it’s infected.

233
00:16:41,520 –> 00:16:45,560
All right, actually, I lied about that being the final recommendation.

234
00:16:45,560 –> 00:16:48,160
We’re going to do one more free of charge.

235
00:16:48,160 –> 00:16:52,880
The actual final recommendation is to be wary of links in emails.

236
00:16:52,880 –> 00:17:00,080
Now, I’m not sure why, but almost every business uses a separate domain for their email links

237
00:17:00,080 –> 00:17:02,000
than their main domain.

238
00:17:02,000 –> 00:17:06,640
This makes it very confusing for the user because how are they supposed to know whether

239
00:17:06,640 –> 00:17:07,640
it’s legitimate?

240
00:17:07,640 –> 00:17:11,760
For example, we tested NordVPN in the past.

241
00:17:11,760 –> 00:17:15,760
We don’t recommend that service, and we wrote a blog post about this.

242
00:17:15,760 –> 00:17:18,720
So go ahead and take a gander at that when you get the time.

243
00:17:18,720 –> 00:17:24,720
But one of our complaints was that we identified at least seven different domains that NordVPN

244
00:17:24,720 –> 00:17:28,080
was using just for their VPN service:

245
00:17:28,080 –> 00:17:41,040
nordvpn.com, ndaccount.com, nordaccount.com, nord-for-apps.com, nord-apps.com, nordcheckout.com,

246
00:17:41,040 –> 00:17:49,720
auth.zwyr157wwiu6eior.com.

247
00:17:49,720 –> 00:17:55,680
Now let’s say you’re a NordVPN customer and you’re familiar with nordvpn.com, but you

248
00:17:55,680 –> 00:18:00,960
receive an email from ndaccount.com claiming to be NordVPN.

249
00:18:00,960 –> 00:18:02,720
Well, what is that?

250
00:18:02,720 –> 00:18:03,800
Is that them?

251
00:18:03,800 –> 00:18:07,920
Is that some random dude from India? That could be anybody.

252
00:18:07,920 –> 00:18:12,600
So before you click on any email links, make sure you inspect and trust the domain that

253
00:18:12,600 –> 00:18:13,800
it points to.

254
00:18:13,800 –> 00:18:17,480
If you’re not absolutely certain, try to find another way.

255
00:18:17,480 –> 00:18:21,800
You can either call the company to check or just log into your account and see if you

256
00:18:21,800 –> 00:18:26,000
can get to wherever that link was supposed to point you to.

257
00:18:26,000 –> 00:18:27,000
That’s what I do.

258
00:18:27,000 –> 00:18:32,200
I can’t think of the last time I clicked on a link in an email other than an occasional

259
00:18:32,200 –> 00:18:34,000
unsubscribe link.

260
00:18:34,000 –> 00:18:38,440
But if you get an email, for example, that looks like it’s from your bank and gives you

261
00:18:38,440 –> 00:18:43,160
a link to view your latest bank statement or something like that, just go directly to

262
00:18:43,160 –> 00:18:46,880
their website, log in, and check your statement from there.

263
00:18:46,880 –> 00:18:51,720
To sit there and inspect the links and make sure that the email isn’t spoofed and whatnot

264
00:18:51,720 –> 00:18:54,200
is generally just a waste of time.

265
00:18:54,200 –> 00:18:56,000
Just go directly to the source.

266
00:18:56,000 –> 00:18:58,420
All right, that’s it for this episode.

267
00:18:58,420 –> 00:19:03,360
If you’d like more help with email security or related topics, consider becoming a Bigger

268
00:19:03,360 –> 00:19:04,920
Insights client.

269
00:19:04,920 –> 00:19:10,080
We help clients like you live more private and secure lives with one-on-one consulting

270
00:19:10,080 –> 00:19:11,080
sessions.

271
00:19:11,080 –> 00:19:16,160
If that sounds interesting to you, go to our website, BiggerInsights.com, and fill out

272
00:19:16,160 –> 00:19:20,880
the short form at the bottom of the page to request an initial consultation.

273
00:19:20,880 –> 00:19:25,800
We are once again asking you to share and subscribe to this podcast so we can spread

274
00:19:25,800 –> 00:19:28,360
our message and help as many people as we can.

275
00:19:28,360 –> 00:19:29,800
All right, that’s it.

276
00:19:29,800 –> 00:19:31,520
Thanks for staying until the end.

277
00:19:31,520 –> 00:19:35,760
Follow these recommendations to use email more securely and have a great rest of your day.

Disclaimer

Our podcasts, including this episode, are for informational purposes only. Some of the items discussed may not be appropriate or lawful in your jurisdiction or industry. See our full Disclaimer for details.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Cybersecurity - Privacy and Security - Virtual Private Network (VPN) Privacy & Security

Are Virtual Private Networks (VPNs) Useless Honeypot Scams?

You may have heard others in the privacy and security community call virtual private networks (VPNs) “useless”, “scams”, or “honeypots”, but is this actually the case? There are certainly a lot of sketchy VPNs and creators who shill them, but does that invalidate the thesis for using a VPN? We ...
Continue →
Scroll to Top