How to protect your email from cyberattacks

The numbers are overwhelming. Ten million malicious emails are prevented by Google every 60 seconds. Hold Security discovered a cache of 272.3 million hacked email accounts last year from major providers around the world, and more than half a billion personal records were stolen or lost in 2015, an

The numbers are overwhelming. Ten million malicious emails are prevented by Google every 60 seconds.

Hold Security discovered a cache of 272.3 million hacked email accounts last year from major providers around the world, and more than half a billion personal records were stolen or lost in 2015, an increase of 23 percent from previous years, according to the 2016 Internet Security Threat Report (ISTR).

The increase in cybersecurity threats is alarming, and given the statistics, it is difficult to feel assured that our digital lives are secure. Cybersecurity should no longer be only a concern for states, businesses and public figures. It should be a major concern for every single person.

Step one:


the threat

Alarmingly, too many people are neither concerned with nor aware of the seriousness of the problem. They adopt the attitude that it will never happen to them as they have nothing to hide. There is no need to be harboring state secrets, however, to exersize a minimum level of privacy, protection and security. Internet users should start to actively look for ways to protect themselves. The internet’s reach and scope are increasing exponentially, and organized criminal activity on the dark web is constantly on the lookout for new techniques to hack their targets, while by and large our security threshold remains the same.

The consequences of this could be devastating. John McAfee, founder of Intel Security Group, a global computer security company, has warned: “An email hack can destroy our digital world, and we won’t see it coming.” Estimates from various hacking groups say that passwords for 75 percent of the world’s email accounts are available for purchase on the dark web. Beyond that, there are thousands of videos, tutorials and softwares online on how to hack into emails, social media accounts, smartphones and others.

Step two:

Secure your

password and devices

It goes without saying that the first step is to have a strong password that is a mixture of uppercase and lowercase letters, numbers and symbols. Security experts warn against reusing the same password over separate accounts, and some suggest changing passwords often to add an extra layer of protection.

Other safety steps include: installing a well known antivirus, performing constant software up

dates, avoiding public PCs, being cautious of public Wi-Fi at airports, coffee shops and other locations, and opting for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) when available. Also, it is best t

o use two-factor authentication when possible.

Regarding email addresses, avoid easy to guess emails, i.e.

[email protected]

Instead, add random numbers and characters, and avoid posting your email over the internet on blogs, websites and social media. Any hacker who knows an email address can click on the forgot password link in the webmail and try to guess the answers to the security questions, so make sure to give obscure answers.

If you do want people to contact you online, one trick is to post your email as a picture instead of having it written as text; spam software are not able to decode images. Avoid replacing the @ with (at) or .com with (dot) com in an email address; while people think this tricks spambots it is in fact very easy to decode.

Step three:

Secure your email

The hack of Democratic Party officials during the United States presidential elections were global news, not just for their political impact, but also because of cybersecurity concerns. If those emails had the latest level of encryption, hackers would not have been able to get their content.

The two most commonly used encryption protocols are Pretty Good Privacy (PGP) and its newer successor Secure/Multipurpose Internet Mail Extensions (S/MIME). Although you can use the older PGP protocol, cybersecurity experts advise using S/MIME protocol if possible, as it is much more secure and offers authenticity (explained below), which you do not find with PGP.


More than half a billion personal records were stolen or lost in 2015


S/MIME consists of two security services: digital signature and encryption. These two services combined offer a high level of email security. A digital signature is a unique code added to your email that proves authorship and assures the receiver that it didn’t come from someone pretending to be you, and that the email has not been edited or changed during its transit.

Using a digital signature alone is not enough ,however, as your email will be traveling servers in plain text, making it very easy for hackers to intercept and read. Here, the role of encryption in S/MIME comes into play. Encryption makes your email unreadable to everyone except the intended recipient.

Setting up email encryption can be a laborious process, however. Below is Executive’s guide to securing Outlook, Hotmail and Gmail email accounts.

Microsoft Outlook Desktop

application for Windows


Click on the


tab in Microsoft Outlook, then select



Trust Center


Trust Center Settings


Email Security




Digital IDs (Certificates)

click on

Get a Digital ID

, Outlook then opens up a page with a list of some of the certificate authorities (CAs) that are qualified to issue digital certificates. (Some CAs offer free Digital ID like COMODO and StartSSL, others you will have to pay for. The price ranges between $5 per user a month to around $10 per user a month).


Assuming you get your Digital ID from StartSSL, all you have to do is to go to their website using Mozilla browser, sign up for the free package and your digital ID is ready to install. If it doesn’t install automatically make sure to click on the Install butto



From Mozilla menu tab, click on







View Certificates

-> select

Your Certificates



Locate your certificate under “SmartCom Ltd” and click on the




It will then prompt you to add a password in order to protect your certificate. (Make sure to remember the password as there is no recovery option for it, and your certificate won’t work if you don’t provide the password. It’s also advisable to make a copy of the certificate file you have just downloaded and store it on a USB drive). After you complete all the instructions below, delete the file from your computer, otherwise any person accessing your computer can take it and start sending emails on your behalf.


Going back to Outlook, Click the

Import/Export Digital ID

button located under

Digital IDs (Certificates)

(see step two).



Import/Export Digital ID from a file

click on


and select the digital signature file that you just downloaded on your desktop.


Enter the same password that you just used for backing

up your digital signature in step six. Press


and you will be redirected to the

Email Security

-> Press the


located under

Encrypted E-mail



Click on the


button located in the

Change Security Settings

window to select the signing certificate. It might get selected automatically by Outlook, if not then browse and select it.




and then




Go back to

Email Security

-> under

Encrypted E-mail

, check the

Add digital signature to outgoing messages

and then

Send clear text signed messages when sending signed messages


Now you can start sending digitally signed emails, and users can differentiate them through a small

red certificate icon at the right of your email if the receiver happens to use Outlook. Double-clicking on that icon will show whether the certification is val

id and trusted or not.

After setting up your digital signature, the next stage is encryption. Provided you have followed the steps above, this is a simple process: click to enable encryption in your Outlook. Encryption is a two-way process, meaning that the sender and the receiver should exchange their digital signatures by email and save these in their contacts. When digital signatures are exchanged between the sender and the receiver, only then can they start exchanging encrypted emails.

Hotmail webmail client

Outlook Web Access, which runs Hotmail, only supports S/MIME on Microsoft Windows® 2000 and Internet Explorer 6 or higher. This is provided you already have a digital ID, explained in steps above. Only then can you install the S/MIME control.

Once installed, you can use the

gear menu > S/MIME settings

to encrypt all messages. Simply select

Encrypt contents and attachment of all messages I send


Add a digital signature to all messages I send


Gmail webmail client

Gmail supports TLS connection, which means that the connection is secure and encrypted, but not the email itself. For the TLS connection to persist when an email travels to data servers other than Google’s, then those servers need to support TLS as well. It’s important to note that Gmail emails are stored as plaintext on Google’s servers, without any encryption. Back in 2010, a Google employee was fired after being caught using information from a teenagers’ emails accounts to stalk them. Since then, Google has taken some measures to increase its security locally, although Gmail emails are still stored as plaintext on their servers.

Currently S/MIME is only active for Gmail Enterprise and not solo users, so Executive searched for an S/MIME add-on that would work on Gmail but found none. Gmail users can, however, make use of PGP encryption. As stated earlier, PGP protocol is older than S/MIME. One of the drawbacks is that it doesn’t encrypt email headers, allowing a hacker to see who an email is addressed to, though its content stays encrypted. However, when a PGP-encrypted message is additionally encrypted by a TLS connection, the sender and receiver will become encrypted as well. This solution ends up very secure, as emails are not only safely encrypted during transit, but are also stored encrypted on Google’s servers as well.

PGP relies on something called public-key and private-key, which a user must own in order for them to receive encrypted emails. Those keys are generated by third party companies that support PGP encryption. The public-key encrypts the message while the private-key decrypts it. Once a user has those keys, they must share their public-key with other users, either by uploading it to special servers or by sending it via email. Let’s say that A wants to send an encrypted email to B. A has to encode his email using B’s public-key. When the encrypted email reaches B, he can decrypt it using his private-key.

There are many free PGP add-ons available online, and they make the process very easy for anyone to use; you just have to follow their instructions. Executive has tested Mailvelope and Enlocked add-ons for webmail clients (Gmail and Hotmail), and they proved very user friendly.

However, if you don’t want to bother with add-ons, browser compatibility and so forth, you can always switch to a webmail client such as ProtonMail, as their server can’t be decrypted (though ProtonMail has become so popular you might find yourself on a waiting list), or you can use a third-party company like DocuSign where you can digitally sign and S/MIME encrypt your email before sending.

In order to be secure, you constantly need to stay up to date on the latest security releases, performing regular updates of your software, and encrypting not only your emails, but your computer, laptop and mobile as well. Act now, before you become the next victim. Stay secure, and stay safe.


View all posts by

Magali Hardan

previous post

Cyberthreats in the GCC and Middle East

next post

A grand hotel plots a new course

1 2