Email Fraud. Simplified.
Email is still the number one attack vector online. Not social media. Not malware. Email. If someone wants to steal your money, your identity, or access to your accounts, they usually start with your inbox.
Modern email fraud isn’t obvious. It’s subtle, contextual, and often timed perfectly. This guide shows how to protect yourself from phishing, impersonation, fake invoices, account takeovers, and data harvesting — without turning daily life into paranoia.
I’ll break this down by effort and payoff. Same rules as before: casual, practical, and honest about tradeoffs. Let’s start where it matters most.
Beginner level. Massive risk reduction, minimal effort.
One rule that stops most scams
Never click links in emails. Ever.
If an email claims to be from your bank, a delivery service, Apple, Google, PayPal, or even your boss — open a new tab or an app and go there manually.
Trust me, if something is wrong, there will be a notification over there. Attackers rely on urgency and convenience. Remove convenience and the scam collapses.
Real red flags (not the obvious ones)
- Emotional pressure — “Immediate action required”, “Final warning”, “Account suspended”.
- Authority framing — legal threats, executives, finance or IT support.
- Context mismatch — invoices you didn’t expect, shared documents you never discussed, password resets you didn’t request.
Modern scams look legitimate. What gives them away isn’t spelling — it’s pressure. If something forces speed, slow down.
Attachments are loaded weapons
Don’t download, open or run attachments you didn’t explicitly expect. Especially:
- ZIP files
- executable files
- HTML attachments
- Office files asking you to “Enable content”
- Odd formats pretending to be PDFs
PDFs are safer — not safe. Treat attachments with the same caution as random USB drives.
Check the domain
While it won't guarantee that everything is legit (services get hacked), you can probably trust buttons, links and attachments sent from the domains you trust, like @google.com for example. But if it's something sensitive, even I do double and triple-check if that's the correct domain. You can usually copy the part after @ (like in our case, "google.com") and paste it in the browser just to be sure it leads where you expect it to.
Results
- 80–90% of email fraud eliminated - based on statistics it means that you are almost safe now just from these things alone.
- Lower inbox stress - you don't have to worry about doing something wrong. Knowledge is a powerful thing.
Intermediate. Control identity and blast radius.
Email aliases (this matters a lot)
If you use the same email address everywhere, fraud is inevitable. Email aliases let you create unique addresses per service and disable them instantly if they leak.
Leaks stop being catastrophic when every service has its own address. Plus you get to know who's at fault.
Many password managers have this feature nowadays. I recommend NordPass (also checks if your emails leaked), Proton Pass or just SimpleLogin with Proton Mail.
Separate important from public email
It's a good practice to have a few "main" emails which you remember aside from the aliases we talked about to sign up for things IRL when you get asked, for example, and creating and dictating an alias is too much of a pain:
- Primary email — banking, government, core accounts.
- Public email — signups, newsletters, random services.
Alias protection from DuckDuckGo is a good choice if you want all emails to end up in the same inbox. It will just create another layer of protection on top of your main email, plus, if leaked won't point to you. Win-win!
If you don't expose your main email online - attackers don’t know it exists, they can’t target it.
Account takeover defense
If someone controls your email, they control everything else. Password resets, 2FA resets, recovery flows — all start there.
So be sure to use at least one (or better all) of the below:
- Strong, unique password
- App-based or hardware 2FA
- Equally protected recovery email
Impersonation scams
These cause the most financial damage. CEO fraud, fake vendors, fake lawyers, fake HR. They could ask for money, paste a code or login somewhere on their behalf. But it's always better (and your partners will appreciate it) to call or write through another messenger.
Never act on sensitive requests based on email alone. Always verify via a second channel.
Results
- Near-zero successful phishing - at this point you are almost immune to email scams.
- Clear visibility into data leaks - and you can manage your online identity based on the data.
Advanced. Structural immunity and strategy change.
This level assumes attackers are persistent and targeted. The goal here isn’t detection — it’s removing trust from email itself.
Custom email domains
Using your own domain gives you full control, unlimited aliases, and long-term portability. If a provider changes policies, you move — not them.
Email authentication
SPF, DKIM, and DMARC prevent attackers from impersonating your domain. If you run a domain and don’t configure these, spoofing is trivial.
Sandboxing and isolation
High-risk users should isolate email interactions: separate browser profiles, read-only viewers, or even disposable environments.
Know when email is wrong
Email is not secure, not private, and not reliable for irreversible actions. If something truly matters, email should notify — not execute.
Know what to do when email is leaked
Unfortunately at the current state of web, it's just a matter of time before your email with some other private information is going to leak. So you'd better have a backup plan in your head what you're going to do about it.
No one advise
On this territory it's a custom game against "them". There is no one way or tool to win. You need to adjust and be one step ahead. Our company can help you with that, so please contact if you or your company have reasons to believe you are going to be targeted.
And I'll just say that having a public company is already a reason for that...
Results
- Targeted attacks fail quietly
- Impersonation becomes difficult
- Email becomes boring
Beyond reason
Most people don’t need air-gapped machines or disposable laptops. Fraud prevention collapses when convenience disappears.
Thanks for reading — this one matters more than most people realize. If you want a breakdown of real phishing campaigns or business email compromise, let me know. Stay boring. Stay skeptical.