When I was a kid, I watched a lot of terrible action movies. Maybe it was just growing up in the 1980s, and there were a lot of bad ones to watch. My dad was a Green Beret, and he blew my mind when he let me know that the hero of whatever movie I was watching hadn’t reloaded his gun in half an hour. From then on, I found myself developing an OCD habit of counting the number of shots and guestimating how many rounds might be left. I now judge movies based on how accurate they were.
By George Finney, CISO, Professor, Author, Keynote Speaker, Startup Advisor
So, now that I have a compulsion to count things, I count how many times I stir my coffee. I’ll count the number of cars in traffic or how many times I’ve checked social media today. It’s only natural, then, that I started counting how many email accounts I was using and wondered how many email addresses are enough.
Before I dive into emails, I should first say that I think counting is just another way of thinking about curiosity. And I think curiosity is one of the key traits that set us up for success in cybersecurity.
According to a survey by the Data and Marketing Association, an average person has 2.5 email accounts. The same survey suggests that 51% of people have had the same email address for more than 10 years.
I’m pretty invested in my email addresses; I feel like they’re part of my identity. But there’s another, equally valid perspective: email accounts are disposable. I wondered if I could do an experiment and see how many email addresses I need and whether I could organize them in a way that made me more secure and possibly more organized along the way.
It turns out, you should have 11 email accounts.
Why 11 email accounts?
It used to be that I was worried about my main email account being compromised. A hacker could use the same email and password to get into my other banking or shopping accounts. Most online services use your email address as your username, which exposes half of your credentials. Since most don’t enforce a periodic forced password change, this is even more of a problem.
Hopefully, your email or banking account uses two-factor authentication (2FA), but I’m still concerned about clever social engineering being able to bypass our defenses.
The list below separates the types of email accounts I think you’ll need based on some categories. I’ve grouped the categories by what they’re used for: banking or social media, for example, based on the level of risk if they’re exposed — and the frequency of changes that happen with that type of use. For example, work email addresses may change every few years while you may want a recovery email account to remain the same forever.
With smartphones, it doesn’t matter how many email accounts you have, as they’re all right there on the same device. So having multiple accounts isn’t inconvenient like it might have been 10 years ago. We know that different organizations you do business with will share, sell, or leak information about you, so dividing up your email accounts will show you when this happens more clearly.
You must be already using different passwords for your different email accounts. If not, sign up for a password vault and use random passwords for each account. I don’t know most of my passwords at this point.
Here are the last 11 email accounts you’ll ever need:
Work: This will change over time as you change jobs. I recommend keeping work and personal as separate as possible for lots of reasons. Any personal mail, important tax documents, or pictures you send will get lost after you change jobs. Each company will have different work email policies, so it’s best to keep this separate.
Personal: If any of your email addresses will stay the same forever, it will be this one. You will give this email out to friends and relatives who you want to stay in touch with, or who you might only hear from once in a while. To keep from having to change this email address frequently, it’s important to keep it separate from the others on the list.
Recovery Account: Lots of services today want you to provide them with an email account that can be used to recover your username and password. For this reason, I think this is one of the most important accounts you’ll set up. And because so many services want a recovery account, this will be one of the first accounts you’ll set up.
Social: Facebook, TikTok, and Snapchat aren’t your friends. We know that through breaches or by direct relationships, emails are exposed without us necessarily knowing about it. And it’s part of their business model to sell your data. Skimming these for your contact info, you can be targeted for well-crafted phishing messages. It’s good to separate these from your other accounts, like shopping, banking, or work.
Newsletters: This will be your miscellaneous category. This category by itself will fill up any inbox with junk that you won’t regularly read, like the weekly sale email from your favorite store. Newsletters mailing lists are also frequently sold from one company to another, so the likelihood of this category turning into a source of junk is high–so keep it separate.
Banking: Separating these into their own email will help you recognize when a phishing message from your bank. If it didn’t go to the right account, then it’s phishing and you’ll recognize that quickly.
Insurance and Taxes: Car, medical, home, taxes, etc.–many of these services collect your SSN or other highly sensitive financial information. You could combine this with your banking or shopping email account, but I like creating a firewall between.
Shopping/Bills: Since these sites collect your credit card, Paypal, Venmo, banking, or other payment info, you’ll want an address to keep them secure. I like to keep these separate from my banking sites so that I can more easily spot scams that try to collect my banking info.
Job Searching: I’ll talk more about this later, but I’ve found that job search sites are the absolute worst about keeping your email secure. It seems like every recruiter on the planet has my email address.
School: You’ll probably get one of these for life if you attend college. These are great for keeping in touch with former classmates. But administrative issues with these accounts can lead to accounts being full of spam and phishing messages.
Burner Email: I’ve listed this one separately from newsletters because, by definition, you may want to burn this address for some reason and get a new one. I’m thinking in particular about dating sites, but there could be several other uses for this category.
All these separate email accounts will most likely be stored on your mobile phone so that you can check them. This means the security of your device is the weak link in this chain. Setting up PINs, fingerprints, or facial recognition is good. Setting up your phone’s lost or stolen recovery app is also important. I’d also recommend downloading a mobile antivirus solution.
Is mobile phone antivirus important? More and more users report receiving fraudulent or phishing text messages. Texting fraud is on the rise, and it seems like we’re more likely to give our phone numbers out than email addresses. It’s harder to have multiple phone numbers, although you can use Google Voice or an app to create your own burner numbers.
Going back to my obsession with counting for a moment…phishing is up 600% just in the first few months following the COVID-19 pandemic. More than ever we need to be able to protect ourselves from social engineering. Having 11 different email accounts will help compartmentalize phishing attacks, but we also need to know how to leverage the habits of skepticism and vigilance when those phishing messages get through.
As the GI Joes are fond of saying, “Knowing is half the battle.” Our users know the red flags for phishing that we’ve taught them, but there’s still a gap in recognizing them, particularly in the afternoon. Just knowing this can help us better prepare — we can schedule more meetings in the afternoon so that we spend less time exposed to email. When we do read email, we can use the “slow down and frown” technique I’ve developed, which some psychology studies suggest can increase our vigilance by up to 20%.
My obsession with counting is what led me to look at my simulated phishing data differently. There wasn’t a view into the time of day in any of the tools I used, so I had to learn a bit about data science and Big Data to be able to visualize the problem in a new way. Counting, for me, is just another expression of curiosity about the world around me. And ultimately, I think it will be curiosity that will help us to solve our cybersecurity challenges.
This story first appeared in the October 2020 issue of CISO MAG.
About the Author
George Finney is a CISO, author, speaker, professor, and consultant who believes that people are the key to solving our cybersecurity challenges. He has worked in cybersecurity for nearly 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture. As a part of his passion for education, Finney has taught cybersecurity at Southern Methodist University and is the author of Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. He has been recognized by Security Magazine as one of their top cybersecurity leaders in 2018 and is a part of the Texas CISO Council.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.