Email security basics
The essential steps to keep your business email accounts secure — passwords, two-factor authentication, and everyday habits.
Email is one of the most targeted entry points for attackers. A compromised email account can lead to financial loss, data breaches, and reputational damage. This guide covers the basics every business owner should have in place.
Quick summary
The most important email security steps are: use a strong, unique password; enable two-factor authentication (2FA); learn to recognize phishing attempts; and don't share your password with others. These four things prevent the vast majority of account compromises.
Use a strong, unique password
Your email password should be:
- At least 12 characters long
- A mix of letters, numbers, and symbols — or a long passphrase
- Unique — not used for any other account
If an attacker gets your password from a data breach on another site (a shopping site, for example) and you've reused it for email, your inbox is now compromised.
The easiest way to manage unique passwords is a password manager. It generates and stores strong passwords for you — you only need to remember one.
Enable two-factor authentication (2FA)
Two-factor authentication (2FA) — sometimes called multi-factor authentication (MFA) — requires a second form of verification in addition to your password. Even if someone knows your password, they can't sign in without the second factor.
How to enable it:
- Google Workspace: Go to your account's security settings at myaccount.google.com/security and turn on 2-Step Verification
- Microsoft 365: Admins can require MFA for all users in the admin center; individual users can also enable it at mysignins.microsoft.com
Verification options include:
- An authenticator app (most secure; e.g., Google Authenticator, Microsoft Authenticator, Authy)
- SMS text message (less secure but better than nothing)
- A hardware security key
See Two-factor authentication explained for a full guide.
Important
Do not skip 2FA setup. Business email accounts with no 2FA are among the most commonly compromised accounts. This is especially true for email used to manage other accounts — if your email is compromised, attackers can request password resets for every service linked to it.
Don't share your password
Never share your email password with colleagues, clients, or vendors — including Chykalophia. Use delegate access or shared mailboxes instead.
- For team inboxes: use a shared mailbox
- For granting access to your admin: grant admin roles, not your personal password
- For temporary access: grant temporary admin credentials rather than sharing your personal login
Be alert to phishing emails
Phishing is when an attacker sends an email pretending to be someone you trust — your bank, Google, Microsoft, or a colleague. The goal is to trick you into clicking a link and entering your credentials on a fake website.
See How to recognize a phishing email for a detailed guide on spotting these.
The most important habits:
- Hover over links before clicking to see where they actually go
- Be suspicious of any email asking you to click a link and log in
- When in doubt, go directly to the service's website by typing the address in your browser — don't click the link
Keep your recovery options up to date
Both Google and Microsoft use a recovery email address and phone number to help you get back into your account if you're locked out. Make sure these are current — especially if you've changed your phone number.
Watch for account compromise signs
Signs your email may have been compromised:
- Emails you didn't send appearing in your sent folder
- Contacts saying they received strange emails from you
- You can't log in (attacker changed the password)
- Unexpected password reset emails from other services
- Unexpected changes to your account settings (auto-forwarding set up, filters created)
If you suspect your account has been compromised, act quickly. See What to do if an account is compromised.
Keep your email platform up to date
Google Workspace and Microsoft 365 are managed services — the underlying software is always kept up to date by the provider. But:
- Keep your browser and mobile apps updated (they patch security vulnerabilities)
- If you use Outlook desktop, keep it updated
- Review your account's connected apps occasionally — revoke access for apps you no longer use
Business email compromise (BEC)
Business Email Compromise is a sophisticated scam where attackers either gain access to a business email account or create a lookalike address. They then impersonate a director or supplier to request fraudulent payments.
BEC scams have cost businesses billions of dollars globally. The keys to protection:
- Require phone or in-person confirmation for any unusual payment requests
- Be suspicious of any email asking for an urgent wire transfer or change of bank details
- Set up DMARC to prevent others from spoofing your domain
See Business email compromise explained.
Common questions
Related guides
- How to recognize a phishing email
- Two-factor authentication explained
- Password managers
- Business email compromise explained
- What to do if an account is compromised
Need a hand?