Essential Email Security Best Practices: Security Awareness Manager's Playbook (2024)

This playbook will guide you through the essential email security best practices you need to know to educate employees, mitigate risks, and protect your organization.

Post hero image

Table of contents

Reduce your human cyber risk
Hoxhunt's adaptive security training dramatically increases engagement and security resilience.
Learn more

An estimated 3.4 billion emails are sent by cyber criminals every day...

And according to the FBI's Internet Crime Complaint Center, email-based attacks have surged by over 300% since 2020.

As new threats continue to emerge, you'll need to make sure your organization's email security practices are maturing to keep up with these threats.

This playbook will guide you through the essential email security best practices you need to know to educate employees, mitigate risks, and protect your organization against all types of email-based attacks.

Email security remains a top priority for security awareness managers

According to a 2024 survey of 500 cybersecurity leaders:

  • 94% of organizations experienced an email security incident
  • 91% experienced data loss
  • 94% fell victim to phishing

And the landscape of cyber threats is always evolving...

Out of nearly 100 million phishing emails blocked by Gmail filters, 68% belonged to a previously unknown scam.

Which means if you're on the frontline of defense, your best practices and training needs to be constantly evolving too.

The basics: common threats and attack vectors

Phishing attacks

Threat actors send phishing emails to trick your employees into revealing sensitive information or downloading malicious content.

These emails often impersonate reputable organizations or individuals, encouraging  recipients to click on malicious links or disclose data.


Malicious emails containing malware attachments or links can infect your business's network and compromise data.

Spoofing and email forgery

Email spoofing is when a sender's address is forged to appear as if it's from a trusted source.

Attackers may spoof domains or manipulate email headers to impersonate legitimate organizations.

Credential harvesting

Credential harvesting is when malicious actors attempt to steal employees' login credentials through phishing emails or fake login pages.

These credentials can then be used to gain unauthorized access to company systems, compromise sensitive data, or launch further attacks.

Social engineering attacks

Social engineering tactics exploit human psychology to manipulate employees into disclosing information or performing unauthorized actions.

Attackers may use pretexting, baiting, or psychological manipulation to deceive employees and gain access to sensitive data or systems.

Part 1: Strengthen your organizaton's password security

Make sure employees are using strong passwords

First off, you'll want to make sure strong passwords are being used across your organization.

These should be at least 13 characters long (or preferably even longer).

The most secure passwords are a combination of numbers, uppercase and lowercase letters, and symbols.

A few simple rules all employees should follow:

  • Don't reuse passwords across accounts.
  • Update passwords regularly.
  • Never use simple, easy-to-guess passwords (1234, password etc).

Strong passwords will make hacking significantly more difficult.

Getting past simple passwords can take seconds... but with strong passwords in place it could take years!

How long does it take to brute force hack your password?

Use a password manager

A password manager will allow you to safely store passwords.

And if your organization uses different advanced passwords for each website and service (which it should be), a password manager is pretty much a must-have.

Most password managers will also come with a password generator.

This will give your strong passwords that you can copy-paste from your digital safe to your login.

Password managers are nearly always safer than storing passwords in web browsers, computer files, or sticky notes (which is what they were built for, after all).

Implement multi-factor authentication (MFA)

Passwords alone are no longer sufficient to protect sensitive data and systems.

MFA adds an extra layer of security to the authentication process by requiring users to provide multiple forms of verification before gaining access to a systems.

MFA can prevent 99.9% of modern automated cyberattacks... but 38% of large organizations still don’t use it.

There are a few options when it comes to MFA. You can choose from cloud-based identity management platforms, on-premises authentication servers and third-party MFA solutions.

Here are some best practices to follow when setting up your MFA:

  • Choose authentication factors based on your specific needs: Select authentication factors based on security requirements and user preferences. High-security environments may require the use of biometric authentication, while less sensitive systems might use token-based authentication.
  • Customize MFA policies: MFA policies should be tailored to align with your organizational goals and risk tolerance. Define parameters such as authentication frequency, session timeouts, and enforcement mechanisms to ensure adequate protection against unauthorized access.
  • Monitoring and auditing: You'll also need to set up a process for continuous monitoring and auditing to detect anomalies and identify potential security incidents.

Note: Watch out for MFA fatigue attacks. Attackers may attempt to authenticate user accounts, sending multiple MFA authentication requests so that users are exhaust enough to approve a fraudulent request (hence the 'fatigue').

Best practices for managing passwords  

Regular password audits

Audit user passwords to identify weak or compromised credentials.

This doesn't always have to be a manual process...

You can use automated tools or scripts to detect password-related vulnerabilities and enforce password changes for users with insecure or weak passwords.

Use account lockout policies

Configure account lockout policies to automatically lock user accounts after a specified number of failed login attempts.

This helps prevent brute-force attacks as well as unauthorized access to accounts with weak or compromised passwords.

Regularly update authentication systems

Keep authentication systems and password management tools up to date with the latest security patches and updates.

Enforce least privilege access

Limit user access to only the resources and privileges necessary to perform their job functions.

Part 2: Protect against phishing attacks

How to spot a phishing email

Phishing websites typically try to appear legitimate (although some do this more successfully than others).

It will usually look like an existing legitimate website so that employees give away login credentials or other private information...

And your employees are most likely to receive a link to one of these websites via email.

The first thing is then to be wary of the sender of the email.

Make sure you know the sender and they they are who they say they are.

When receiving an email, there are a few details to look out for to tell whether or not its legitimate - and if you have phishing training in place, employees will be brought up to speed and regularly tested on these.

Here are some basic ways of assessing an email you'll want to make sure all employees are asking themselves 👇

Is an email from an unfamiliar sender?

Start with the sender's email details.

If you've never seen the email address before, its worth pausing to check its legitimacy.

If in doubt, copy the sender's email and google it with a keyword such as "phishing attempt", "hacking" or "scam".

If others have flagged the email, you'll be able to see that the email is indeed from a bad actor.

⚠️ Warning: This technique isn't completely foolproof. Attackers will switch up their addresses to get around this or fake reviews that claim addresses are legitimate.

Does the sender’s email look off?

Phishing attempts can come from another organization... or at least claims to be.

Lets say an employee receives an email from "".

It may be that there really is a John Hills that works for the company, but this doesn't necessarily mean the email is legitimate.

The email may have been hacked.

Or a new email may have been created to resemble the real one.

This is why its important to be on the lookout for misspelled addresses of different endings (e.g. company.dn as opposed to

Does the writing style and tone of the email sound legitimate?

If the email address looks familiar but the content or the style doesn't quite match up, employees should be suspicious.

Grammatical errors or spelling errors that an individual or organization is unlikely to make are red flags that shouldn't be ignored.

As phishing attacks become more sophisticated, the language used may not always contain errors that make them easy to catch.

But it may still be possible to pick up on any nuances in the style of communication itself.

If an email feels off, it may well be due to a subtle choice of words - you ay even pick up on this subconsciously.

This is why employees should be encouraged to trust their instincts.

If something feels fishy, its worth investigating.

How to ensure attachments are safe

Educate employees on safe practices

  • Train employees to be cautious when opening email attachments, especially if they are from unknown or unexpected senders.
  • Emphasize the importance of verifying the legitimacy of the sender before opening any attachments.

Use email filtering and scanning solutions

  • Implement email filtering solutions that can detect and quarantine suspicious attachments before they reach users' inboxes.
  • Use antivirus and anti-malware scanning tools to scan email attachments for known malware signatures and behavior patterns.

Use cloud-based file sharing platforms

  • Encourage the use of cloud-based file sharing platforms for sharing large files securely instead of attaching them to emails.
  • These platforms often provide built-in security features such as encryption, access controls, and link expiration dates.

How to encrypt emails

Choose your email encryption solution: Select an email encryption solution that meets your organization's security requirements and compliance standards. Look for encryption technologies that support both at-rest and in-transit encryption to protect emails both during transmission and while stored on email servers.

Implement transport layer security (TLS): Enable TLS encryption on your email servers to encrypt the communication channels between email servers and prevent eavesdropping or interception of emails in transit.

Use S/MIME or PGP encryption: Implement Secure/Multipurpose Internet Mail Extensions (S/MIME) or Pretty Good Privacy (PGP) encryption for end-to-end encryption of individual email messages.

Integrate encryption into email gateway solutions: Use email gateway solutions that offer built-in encryption capabilities to automatically encrypt outgoing emails based on predefined policies and rules.

Part 3: Send emails securely when on different networks

Email communication is particularly risky when on different networks.

This is why security teams need to educate employees about the security risks that come with sending emails on various networks and the measures they can take to reduce this risk.

What are the risks of employees using public Wi-Fi networks?

Eavesdropping: Public Wi-Fi networks are inherently insecure, making it easy for attackers to eavesdrop on email communications and intercept sensitive information.

Man-in-the-middle attacks: Attackers can launch MitM attacks on public Wi-Fi networks to intercept and modify email messages, steal login credentials, or inject malware into email attachments.

Rogue access points: Malicious actors may set up rogue Wi-Fi hotspots to lure unsuspecting users and intercept their email traffic.

Steps you can take to mitigate reduce this risk

Email filtering and scanning

Email filtering solutions will filter both inbound and outbound email traffic and scan messages to classify them as phishing, spam, malware, suspicious links, etc.

Setup a virtual private network (VPN)

Encourage employees to use VPNs (or go one step further and make them mandatory) when accessing business emails on public Wi-Fi networks to encrypt their internet traffic and keep them secure.

Make sure MFA is in place

As we covered above, MFA is will provide an additional layer of security that will help to ensure only employees can access your organization's systems and applications.

Use endpoint protection

With endpoint protection, you can defend computer networks that are remotely connected to your main network - securing endpoints such as laptops, desktops, servers, and mobile devices.

Install anti-virus software

Anti-virus software will detect and remove known malware and prevent a cyber attack.

However, you should be aware that new security threats are constantly emerging and that anti-virus software may not be able to catch all of them.

Backup important data and resources

Make sure that all vital data is secure and that you have backups in case an incident happens.

Implement access governance

Centralized access governance will allow you to you safely and easily manage who has access to your company’s data.

Only use safe collaboration tools

Provide employees with safe collaboration tools (like Teams, Slack, Dropbox).

These are safer than sending sensitive documents and information via email.

Consider using insider threat detection software

Insider threat detection software sends real-time alerts of suspicious behavior to isolate outliers and minimize risks.

Part 4: Assess which email security solutions and tools are worth implementing

Secure Email Gateways (SEG)

SEGs are designed to protect your organization from email threats such as spam, phishing, malware, and ransomware.

They act as a perimeter defense, intercepting incoming email traffic and filtering out malicious content before it reaches users' inboxes.

🧐 Use cases

  • Blocking spam and unsolicited emails to reduce inbox clutter.
  • Detecting and blocking phishing attempts that impersonate legitimate entities to steal sensitive information.
  • Preventing the delivery of malware-laden attachments and malicious links to mitigate the risk of malware infections and data breaches.

✋ Potential limitations

  • False positives: SEGs may occasionally flag legitimate emails as malicious.
  • Limited visibility into encrypted email traffic: SEGs may struggle to inspect encrypted email content, allowing malicious payloads to evade detection.
  • Over-reliance on signature-based detection: SEGs that primarily rely on signature-based detection methods may struggle to detect emerging and zero-day threats that lack known signatures.

Cloud email security

Cloud email security solutions are (as you probably guessed from the name) cloud-based email security platforms that provide protection against potential threats, including phishing, spear phishing and malware.

These solutions use threat detection algorithms, machine learning, and threat intelligence to safeguard your organizations' email environments.

🧐 Use cases

  • Centralized management for security policies, monitoring email traffic, and responding to security incidents.
  • Cloud-based architectures are fairly scalable and can handle fluctuations in email traffic volume to accommodate your organization's growth.
  • Integrated threat intelligence feeds and global threat databases to enhance detection accuracy and identify emerging threats.

✋ Potential limitations

  • Data privacy concerns: Entrusting sensitive email data to third-party cloud providers may raise concerns about data privacy depending on the kind of standards your industry expects.
  • Dependency on external service providers: Reliance on cloud-based solutions introduces dependency on external service providers, so there's always a risk of service disruptions or outages.
  • Limited customization and control: Some organizations tend to find that cloud-based email security solutions offer limited customization options and control over security policies compared to on-premises solutions.

Email data protection (EDP)

EDP solutions are designed to keep sensitive information contained within emails. They apply encryption, classification, and access controls to email content to prevent unauthorized access and leakage of confidential data.

🧐 Use cases

  • Compliance with data protection regulations such as GDPR, HIPAA, and CCPA by encrypting and protecting sensitive email content.
  • Protection against data breaches with encrypted email messages and attachments.

✋ Potential limitations

  • Implementation complexity: EDP solutions aren't always easy to setup and can sometimes require significant upfront investment in infrastructure and integration with existing email systems and applications.
  • User adoption challenges: Encouraging user adoption and compliance with encryption and classification policies may be challenging.
  • Performance impact: EDP solutions may result in minor latency and performance issues due to the encryption and decryption processes involved in securing email communications.

Part 5: Invest in training that works

Reducing phishing risk maximizes security ROI more than any other investment you can make...

But not all phishing training is effective.

If you want to drive real, trackable behavior change, you'll need to make sure your training follows the criteria below 👇

Relevant for your organisation  

Employee training should be relevant to their day-to-day role, location and skill level.

Training is not a one size fits all solution. The threats it covers should ideally be ones that the employee receiving training is actually likely to encounter.

Genuinely engaging

Training content can be a grind... but it doesn't have to be this way.

The best results generally come from training thats digestible, gamified and that rewards security-first behavior.

Tracking and reported functionality

You can't change what you can't measure.

So, make sure your training vendor provides metrics to test performance against.

Hoxhunt email security
This is what Hoxhunt's dashboard looks like 👆

📈 Maximize training outcomes with Hoxhunt

Hoxhunt offers phishing training, automated security awareness training and advanced behavior change - all in one human risk management platform.

Measurably change behavior by providing personalized, interactive and bite-sized training that people genuinely enjoy.

How do we know our process works?

  • 20x lower failure rates
  • 90%+ engagement rates
  • 75%+ detect rates
Hoxhunt human risk platform

Email security practices FAQ

What are some best practices for securing email accounts?

  • Using complex passwords.
  • Implementing two-factor authentication (2FA) for additional security layers.
  • Regularly updating antivirus software to detect and prevent malicious software.
  • Avoiding clicking on suspicious email links or downloading attachments from unknown sources.

How can employees contribute to email security within an organization?

  • Undergoing security awareness training to recognize and report suspicious emails.
  • Being cautious when sharing sensitive information via email.
  • Understanding the importance of email security measures and following company email security policies.

What are the risks associated with Business Email Compromise (BEC) attacks?

  • Compromising corporate email systems and accessing sensitive data.
  • Targeting business leaders, such as CEOs, for fraudulent financial transactions.
  • Exploiting human error and social engineering tactics to deceive employees into transferring funds or disclosing confidential information.

How can organizations protect against phishing attacks and suspicious email activity?

  • Implementing email authentication standards like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF).
  • Using advanced email security solutions to detect and block phishing attempts, spam messages, and malicious attachments.
  • Encouraging employees to report suspicious email activity and providing tools for reporting.
Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this