Email security tips for employees

Cybersecurity threats can reach all corners of the digital space. Unfortunately, there’s one realm in particular that’s both a critical communication lifeline and a vulnerable gateway for potential breaches – your email. Given how important email is within the workspace, it’s essential to ensure it’s protected.

Whether you’re a seasoned professional or new to the workforce, keep reading to learn about the top email security tips for employees so you can do your part in protecting your organisation.

7 EMAIL SECURITY BEST PRACTICES

Like all tech security, email security continually evolves as cyber threats do. While you should always stay up-to-date on the latest developments, you can use these seven best practices as the foundation of your efforts.

1. CREATE STRONG PASSWORDS

The best passwords are made up of unique numbers, letters, and symbols and are different for each account. It may be tempting to use common words, phrases, and personal information like your birthday, but those are easy for hackers to decipher. If you’re worried about forgetting complicated passwords, use a password manager. They can help you create new passwords and securely save your old ones.

2. UTILIZE MULTI-FACTOR AUTHENTICATION (MFA)

Traditional passwords can be supplemented with an additional layer of security by using two-factor or multi-factor authentication. When you have MFA enabled, you’ll be required to provide a second form of verification after you input your password. This means that even if a hacker were to guess your password, they still wouldn’t be able to gain access to your account. Common forms of MFA include one-time codes, authentication apps, and biometric verification.

3. KNOW THE SIGNS OF PHISHING

Phishing emails are designed by cybercriminals to trick recipients into clicking on malicious links. There are many different types of phishing to look out for, including whaling, cloning, pharming, and spear phishing.

Be cautious if you receive an email from an unknown address, especially if it prompts you to provide sensitive information or take some type of urgent action. You should still be careful even if an email looks legit or you think you recognise the address. Cybercriminals are known for creating fake email addresses and content that looks professional and sophisticated.

4. HAVE A SEPARATE PERSONAL EMAIL ACCOUNT

Maintaining separate email accounts for your work life and personal life not only prevents inadvertent data mingling but also limits the exposure a hacker would have if they broke into your account.

5. BE CAUTIOUS OF ATTACHMENTS

Cybercriminals use email attachments as vessels to carry viruses onto your computer. If you receive an email from a new sender, try to find a way to directly verify the address. You should also never open attachments from unidentified senders. For an extra layer of security, consider using antivirus software to scan attachments before you open them.

6. STAY INFORMED THROUGH AWARENESS TRAINING

It’s nearly impossible to keep up with newly evolved cyber threats yourself. Luckily, you can stay informed through cyber security awareness training. Attending regular sessions will keep you up-to-date on the red flags you should watch out for and on ways to avoid them.

7. IMPLEMENT EMAIL SECURITY TOOLS AND METHODS

While the practices outlined above are a great foundation, it’s important to build defences that go beyond your own efforts. One way you can do so is by downloading advanced email protection tools and automated software that can detect phishing and spoofing attempts. DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are popular tools.

You can also strengthen your defences by partnering with an IT company. What better way to protect your business than with help from professionals? Computer Troubleshooters has a team trained in data and network security, ready to build a security plan for your business.

< Older Post

Newer Post >

Previous Blog Posts and Updates

Beware: Is that Microsoft… or a phishing attempt?

by Zeljko Ruskaj • 31 July 2025

You can trust Microsoft, right? Well, what if it isn’t really Microsoft at all? Cyber criminals are impersonating the tech giant. Don’t fall for it… Check out our latest blog #CyberSecurity #PhishingScam #MicrosoftPhishing

Criminals can access your accounts without your password

by Zeljko Ruskaj • 23 July 2025

Have you ever felt like just when you’ve nailed your cyber security – BAM! – something new comes along to throw a spanner in the works? That’s exactly what’s happening right now. There’s a new scam doing the rounds. And it’s catching out businesses just like yours. The worst part? Cyber criminals don’t even need your password. Scary… It’s called device code phishing. It’s a clever trick that’s becoming more and more popular. Microsoft recently flagged a wave of these attacks, and we’re likely to see many more. This one’s different to the usual phishing scams you’ve probably heard about. Normally, phishing is all about tricking people into giving away their usernames and passwords on fake websites. But with device code phishing, scammers play a smarter game. Instead of stealing your password, they get you to voluntarily give them access to your account. And they do it using real Microsoft login pages, so it looks totally legit. It usually starts with a convincing email. Maybe it looks like it’s from your HR person, or a colleague, inviting you to a Microsoft Teams meeting. You click the link, and it takes you to a real Microsoft login screen. Nothing seems out of place. You’re asked to enter a code. Just a short one, called a “device code.” This code is supplied in the email, and you’re told it’s needed to join the meeting or finish logging in. Here’s the catch: By entering that code, you’re not logging yourself in… you’re logging them in. You’re unknowingly giving the attacker access to your Microsoft account on their device. And because the login goes through the proper channels, it can even bypass multi-factor authentication (MFA). Yep, even if you’ve got extra security in place, they might still get in. Once they’re in, they can do a lot of damage. Reading your emails, accessing your files, even using your account to trick others in your company. It’s like handing over the keys to your office and you don’t even realise it. It’s dangerous because it doesn’t look suspicious. You’re on a real Microsoft site, not some suspicious fake. You didn’t click a weird link or enter your password into a phishing form. Everything looks above board… except it’s not. And because attackers are using legitimate Microsoft login flows, traditional security tools don’t always catch it. Plus, once they’re in, they can stay in. They don’t need to keep logging in if they’ve captured your session token (that’s a sort of digital "pass" that keeps you logged in behind the scenes). So even changing your password won’t necessarily kick them out right away. A big question then: How can you protect your business? Start by getting your team to be extra cautious with login requests. Especially ones that involve entering codes. If you get a device code from someone, stop and think: Did I request this? Do I know for sure this is real? If you’re not sure, don’t go through with it. Use a separate method, like a direct phone call or your company’s messaging system, to double-check with the person who sent the email. Remember, real Microsoft logins don’t involve someone else giving you a code to enter. If that ever happens, it’s a red flag. From a technical side, your IT team (or IT provider) can also tighten things up. If your business doesn’t need device code login as part of its daily operations, it’s safest to turn it off altogether. They can also put in place extra security rules that only allow logins from trusted locations or devices. And finally, keep training your people. Good cyber security is about awareness. If your team knows what to look out for, they’re much less likely to fall for these kinds of tricks. Can we help you tighten up your security? Get in touch.