Many moons ago, I signed up for a website called Have I Been Pwned. This website tracks your information, and if it shows up in a leak or hack, it notifies you. It’s a great tool, and I recommend you all use it, especially in our current times full of security breaches. Today, I got a notification that I had been leaked along with 1.4 billion people. Billion with a B. This leak included Full Names, addresses, IP addresses, etc.
So here’s a tutorial on setting up a secondary email that is specifically for questionable websites. This won’t completely eliminate the threat, but it’s one extra step of protection. Every time you play an app on Facebook, or sign in with Google, or take one of those quizes, you’ll probably notice that they ask permission to read your profile. When you do, they (whoever created the game) compiles that information. Maybe they track your usage to know how often you use the service or game. Maybe they gear marketing towards you based on the information they compile. Maybe they sell your information legally or illegally. Whatever the case, by being on the internet, you’re giving a metric fuckton of information away.
One of the most effective hacks is called a social engineering hack. The idea is that the attacker learns as much about you as they can, and then use that information to guess your security questions. Then they reset your password. Usually, they’ll start with email. Then they’ll go to your Facebook, and have a password reset email sent… to the email they now control. Now they have your Facebook. Then they look at your friend’s list. They start gathering information on them. The cycle continues. While this article isn’t about social engineering, it is about protecting your personal information as much as possible.
First, you need an email address. You’re on the internet, so you probably do. It does need to be able to receive IMAP email from another account. Most already have this feature, but I’m going to use Gmail in my example, because I know it works.
Next, you’ll need to create a secondary email address. The only requirement here, is that it can forward emails via IMAP. It should also be memorable. Don’t pick something like firstname.lastname@example.org. Let’s say your normal email is “email@example.com”, pick “firstname.lastname@example.org” for your secondary email.
Email is sent via POP3 or IMAP. POP3 is the old version. For this context, the basic difference is that POP3 forwards the email, while IMAP syncs the email. It’s not that big of a deal, but it keeps the clutter down.
Here’s the premise. Let’s say I use “email@example.com” as my main address. I’ll use “firstname.lastname@example.org” as the secondary. I’ll give email@example.com for just about everything I don’t trust, and load it with fake information. Then I’ll forward firstname.lastname@example.org to email@example.com, and have it instantly marked as spam. That way, if I do actually need am email, I can get it, but by default, it doesn’t fill up my inbox. Plus, if firstname.lastname@example.org is compromised, the attacker doesn’t have my real information.
Anyway. We create our fake email. When asked for personal information, we won’t give accurate personal details. As far as Gmail or whatever is concerned, email@example.com belongs to Bob Smith who lives at 123 Awesome Street, and was born January 1st, 1901. Next, go into Settings. Each email service is slightly different, but we’re looking for something along the lines of Forwarding or IMAP. In Gmail, it’s (gear icon)>Settings>Forward and POP/IMAP.
Click Enable IMAP. You might have the option to delete old email. That’s fine. Just saves space on the server. Next, look for the configuration instructions to set up Outlook. You’ll need the incoming server, whether or not it uses SSL, and a port number. You can also get the SMTP (outgoing) server information if you want.
Now go to your legit email account. Go into Settings and look for Accounts or Import. Add the spam account based on the previous information. In Gmail, it’s (gear icon)>Settings>Account and Import>Check mail from other accounts. If you’re using two Gmail accounts, open them in different browsers, so you can have them both open at the same time. Like, open one in Chrome and one in Firefox.
Lastly, we want any email coming from the spam account to go to the Spam folder on our main account. In Gmail, go to (gear icon)>Settings>Filters and Blocked Addresses, and click “Create a new filter” at the bottom. Mark anything TO the spam email address. Click Next, and then “Skip the inbox”, “mark as read”, and “move to Spam”. You might have to create a second folder called Spam, because Google won’t let you move things from their default folders anymore.
Now you just have to remember to use the spam email address. If a store or something asks for your email address, give them the spam email. If a website wants you to create an account, use the spam email. Some websites need to to “activate” your account, so you can still get the link from your main account by checking your spam folder.
Oh, and just to be safe, you should setup Two Factor Authentication on everything, even your spam email.