Return to site

Why Every Person Needs At Least Four Email Accounts

October 21, 2021

POST WRITTEN BY

Morey Haber

CTO and CISO at BeyondTrust, overseeing the company's technology for privileged, remote access and vulnerability management solutions.

Identity-based attack vectors represent the next biggest risk for consumers and businesses alike as we enter a new decade. One aspect of this risk is associated with an identity, or user, having a single account used for many different roles.

In simple terms, if a person uses the same username and email account for everything that they access, the risks are higher for an incident. Based on an attack using a single account, a threat actor can reuse the same account name based on an email address against other resources and use a variety of techniques from brute force, spray attacks and credential stuffing to attempt to compromise an account.

If the user has different email addresses for logging on to different types of resources, then a breach in one type of resource cannot necessarily be used against another. The threat actor has no email address or account username as a reference point to start from unless they can link all your email addresses back to your identity.

In business, these different accounts are generally associated with an identity governance solution and managed by business or information technology roles. For a consumer, people generally use one email account for all types of access with varying degrees of risk. This is where the problem lies.

I believe consumers should adopt a model similar to businesses and have at least four email accounts for home use. This is very similar to how businesses have multiple accounts to cover different types of access to applications based on risk and privileged sessions. Therefore, for every user, we recommend having at least four different email addresses for all of the resources they access on the internet.

The goal is to keep correspondence from different resources separate and prevent a logon username based on an email address segregated for authentication, based on the risk associated with the asset being accessed.

1. The first email address should be associated with any type of sensitive account. These can be banking or financial applications and should have a unique email address used for authentication, dedicated only for their access. In addition to logging on, this will help determine if any correspondence sent to this address is legitimate, and any phishing emails that someone would receive in a different account can automatically be discounted as fake. You would have no accounts associated with another email address. For the highly conscious, it may be necessary to create an email account associated with each one of these sensitive systems depending on the data contained within.

2.  The second email address should only be used for personal correspondence. This includes any type of email that may be exchanged with family members, friends or other social activities. This email address should never be used for anything outside of sending or receiving email; that is, it should never be used as the logon (authentication) for any account on the internet. Any rogue correspondence to this address makes it easy to identify as spam targeting you and claiming to be a fake bank account or insurance company.

3. The third account should be for junk email or shopping. For the sake of this article, we classify junk mail as a very broad term for websites that might frequently send you sales offers or nonmalicious spam. It should be for all of the applications and websites that send frequent coupons, event notifications, sales promotions or other types of merchandise. It is not recommended to use this account for any other activities or to use this email address for shopping on a website. Unless it is an e-commerce site you visit frequently (then it is a sensitive account since it has your credit card number), consider always shopping as a guest in order to prevent the website from potentially storing your credentials, credit card number and address.

4. Finally, the fourth email address is relatively straightforward and should only be used for any correspondence associated with your employment or interactions with state, local or federal government. This is a dedicated email account that you share with your employer or other government entities so that they can correspond with you regarding healthcare, taxes, utility bills or other official information. This email address should not be shared outside of these specific use cases, and any correspondence that deviates from its intended usage is definitely spam.

While having four email accounts may seem extreme, it helps separate the different use cases that you might perform for correspondence and sensitive authentication on the web. Modern applications can easily support multiple email addresses to separate correspondence including Microsoft Outlook, Gmail on an Android and Mail on an Apple device. Knowing what email should come into which category will help you avoid spam, phishing attacks or other types of compromised credential attacks that could lead to your identity being compromised.

Depending on your engagement with online resources, including social media or other types of high-risk applications like dating websites, you may choose to create even more email accounts to perform an even higher separation of roles. Essentially, the rule to follow here is to not use one account (email address) for everything. Your email account should not be the same for banking as well as dating sites and social media.

Finally, if your internet-based resources allow you to create a unique username for logging on in lieu of an email address, take advantage of this. It provides an additional layer of obfuscation, and the remaining threat is based on email correspondence and not having the same login username for every web-based service. Keep all of your account usernames separated and unique when possible, and monitor emails based on the account name to help you safeguard against phishing attacks and modern identity-based attack vectors. And it goes without saying that the passwords for each account should be unique, complex and never reused or recycled.

Today's CyberSecurity ToDo List

Create distinct sensitive, personal,  junk and work email accounts with unique passwords so password spraying can’t work