Saturday, December 19, 2020

Using "Disposable" Email Accounts

Have you ever signed up for a newsletter only to then be spammed into oblivion by the newsletter authors and their various affiliations?  Ever receive a notice from your bank telling you that numerous attempts to access your account using your email address have occurred?  Do businesses ask you for your email address and you hesitantly give it to them only to receive an unending string of advertisements?

If so, you're not alone.  Our email addresses have become such a ubiquitous and even necessary part of our lives.  In fact, many of the entities with which we do business won't even let us sign up for their online services or give us an account unless we provide an email address.  Many people use their email address for everything these days, from online shopping accounts to bank accounts, to providing the email address to auto repair shops and department stores as a way to identify themselves in future business dealings.  Healthcare, investment, retirement planning, social security, and many others are all examples of where we willingly submit our email addresses to conduct business in our busy lives.

Email gives us a huge amount of convenience.  But giving our email address to all of these entities presents a huge security risk as well.  At the very least, our own email addresses can be the source of information for others to launch tons of unwanted junk emails, SPAM, PHISHING emails, and just plain clutter.  There are not only the obvious annoyance risks but some serious personal security risks as well.


Security Risks:

Many times, our email address is also our username for the various accounts that we create online.  If that is the case, then half of the credentials needed to log in are already known or easy to guess.  If someone can find out where we do your banking, our shopping (most people shop at Amazon these days), and access our healthcare information, they quite possible already have half of the information needed to access the account.  And since people are in the habit of using the same password for all of their accounts, if a bad guy gets into one account, the rest of the known accounts are easily accessible.  

Another problem is that people have gotten into the groove of using the same formats for both usernames and email addresses - first initial and last name.  Their email address is jsmith@someemail[.]com and their username for many accounts is also jsmith.  If a hacker tries and fails with an email address, they have a pretty easy guess at what the username might be.  Whether or not the bad guy gets into your account, this then opens the door for a wide variety of problems, including identity theft, having our bank accounts drained, or them going around and signing us up for a plethora of newsletters and other online accounts just for spite.


Recommendations:

Besides being annoying, a lot of SPAM email also contains phishing links and tactics or has embedded malware.  And many of the newsletters that we may sign up for only need our email address at sign up so that they can send a verification email to make sure we are a human (and not a bot).  They send the verification email with a link, we receive the email, click on the link to verify, and then that email is really never needed by that account again unless they want to send more SPAM.  So having said that, there are a number of recommendations that will help from having the main email address compromised or used for SPAM purposes: 

  • Use as a "main" (primary) personal email address ONLY for emailing family and close associates.  Do not give this email address out freely.  Use this main email address to get notifications from top-tier accounts such as a bank, investment, health-care portals, and a few other critical accounts only as needed.

  • Do NOT use your email address as the username for your top tier financial and health care accounts mentioned above if at all possible.  If they will give you a choice between an email address and a username to access the account, choose a username.  And then make the username complex.  Many people use their first initial and last name as a username.  That is way too easy to guess.  Instead, use something as complex and jumbled as you would a complex password.  For example, if my name is John Smith, instead of username jsmith  I might select a username like M@rtyM00s3!! with which to log in.

  • Use two-factor authentication wherever possible.  Especially at banks and healthcare portals.  Most of those entities allow, and in fact, some now require two-factor authentication such as sending a PIN to your phone or sending a code to your email account that you will also enter at login.

  • Get a secondary (tertiary, etc) email address from one of the free online email providers, such as Gmail, that you use to sign up for newsletters and online discussion forums.  When the spam gets to be too much, stop using that account.  But then your primary email address remains unaffected.

  • Get a "disposable" email address from one of the providers mentioned in the videos listed in the resources below to use for the purposes of newsletter sign up and one-time verification.
  • Under NO circumstances use your official or work email to sign up for your personal accounts.
  • Do NOT use the same password for all of your different email addresses, and make your passwords for all of the accounts complex (at least 12 characters, a mixture of upper and lowercase letters, numbers, special characters, and NO dictionary words).  A robust password manager such as Dashlane or Roboform will help manage all of the various passwords.

  • Do NOT use initials and names for your disposable or secondary email address that allows people to easily guess your full name.  If I am setting up a disposable email address for use in signing up for a newsletter or product notifications, instead of wflinn@disposableprovider.com, I might use nococyberguy43@disposableprovider.com.  The disposable email providers typically present you with a randomized email address - use that if you wish.

Email provides us with a great deal of convenience but can be a source of a great deal of risk and even annoyance.  Your primary email account should be guarded almost as closely as your bank account number.  It really is a shame that we have had to become so guarded about something as ubiquitous as an email address.  But more and more the bad guys are using our email addresses as yet another vehicle with which to exploit us, steal our identities, and drain our bank accounts.  But with a few simple measures, we can prevent these personal disasters and keep our information and accounts secure.


Resources:

Article: How to Create Disposable Email Addresses

YouTube Video:  How to create a disposable email address for website registration.

YouTube Video:  Disposable Email Addresses | Tech Bytes | Website of the Day