My email address is [CENSORED]

Phishing

How public should your email be? That's a question many of us do not really think about, especially within the world of business.

After all, your email address is really no different to your street address, is it? The closest dictionary to hand on the iPad I am writing this on (WordWeb if you are interested in such things) confirms my understanding that an address is defined as "the place where a person or organisation can be found or communicated with," be that a geographic location or something non-corporeal such as a web or mail server that exists in the cloud.

The point being that an address, be it office, web or email, exists to enable your customers to contact you. So why is one security vendor warning business users that revealing their email addresses is a security risk?

Now that, it seems to me, is something on a backwards approach to the phishing problem.

Here's what Websense Security Labs has to say on the matter after conducting research into the number of email addresses appearing on Twitter: "Thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter." The company goes on to argue that because those addresses are "connected with their inboxes, social media identities and bank accounts" it leaves business users exposed to "advanced social spear phishing attacks."

Carl Leonard from the Websense Security Labs goes as far as to warn businesses using social media to communicate with customers that they "need to consider ways to ensure that employees are protected from these new threats." Furthermore, employers should "re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter." Now that, it seems to me, is something on a backwards approach to the phishing problem.

To suggest that acceptable use policies need updating to make placing already-public email addresses on social media some kind of hanging offence is, frankly, daft. The warning that cyber criminals could use the addresses, together with associated information harvestable from public services, to launch spear phishing attacks is perfectly valid, but the conclusion is all wrong. What business should be doing, I would suggest, is ensure employees are sufficiently aware of the risk of clicking on unsolicited links - an action that has led to many a successful phishing attack.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.