Email Safety Basics: Settings That Reduce Junk, Scams, and Hijacks

Email Safety Basics: Settings That Reduce Junk, Scams, and Hijacks

Email is the front door to your business. It’s how you reset passwords, receive invoices, communicate with clients, and sign contracts. If someone compromises your email, they don’t just read your messages—they can impersonate you, redirect payments, and access nearly every other account you have.

The good news: a few settings changes make your email dramatically harder to hijack.

Why this matters

Most business compromises start with email. An attacker gets in through a phished password or a weak setting, then quietly watches, forwards messages to themselves, or impersonates you to your clients and vendors. The damage isn’t always obvious right away—sometimes they sit in your inbox for weeks before making a move.

What to do (30-45 minutes)

Turn on MFA

If you haven’t already, stop and go do this first. Everything else is secondary. See the MFA post for the details.

Use a separate admin account

Don’t manage your email system from the same account you use to read email every day. Your Microsoft 365 or Google Workspace admin account should be a separate login that you only use for admin tasks. If your daily account gets compromised, the attacker doesn’t get the keys to the kingdom.

Disable legacy authentication (Microsoft 365)

Older email protocols (POP, IMAP, SMTP with basic auth) don’t support MFA. They’re a backdoor. If you’re on Microsoft 365, disable legacy authentication in your security defaults or Conditional Access policies. Most modern email apps don’t need it.

Check mailbox forwarding rules

This is a favorite attacker trick: they get into your inbox, set up a forwarding rule that copies everything to an external address, and then sit back and watch. They might even delete the forwarding rule notification so you never notice.

Do this now:

  • In Microsoft 365: Check Outlook rules for any forwarding to external addresses. As an admin, check mail flow rules in the Exchange admin center.
  • In Google Workspace: Check Settings > Forwarding to see if anything unexpected is configured. As an admin, review routing rules in the admin console.

Enable external sender warnings

Most email platforms can flag messages from outside your organization with a banner like “[External]” in the subject or a warning at the top of the message. This is a small visual cue that helps people pause before trusting an email that looks internal but isn’t.

  • Microsoft 365: External sender tags are on by default in newer tenants. Check your Exchange Online settings.
  • Google Workspace: Enable external recipient warnings in Admin > Apps > Google Workspace > Gmail > Safety.

Clean up shared inbox practices

If your team uses shared inboxes (info@, support@, billing@):

  • Each person should log in with their own account and access the shared mailbox through delegation or shared access—not by sharing one password
  • Audit who has access quarterly
  • Remove people who no longer need it

Common mistakes

  • No MFA on the admin account. The admin account is the most powerful account in your organization. If it only has a password, you’re one phish away from losing control of everything.
  • Ignoring forwarding rules. Check them periodically, not just once. An attacker who gets brief access can set up forwarding and then log out.
  • Sharing one mailbox password among the team. This makes it impossible to track who did what and impossible to revoke access cleanly. Use delegation features instead.
  • Never checking the sign-in logs. Both Microsoft 365 and Google Workspace show you where and when accounts were accessed. Glance at these occasionally. A login from a country you don’t operate in is a red flag.

Quick checklist

  • MFA enabled on all email accounts
  • Separate admin account for email management
  • Legacy authentication disabled (Microsoft 365)
  • Mailbox forwarding rules checked for anything unexpected
  • External sender warnings enabled
  • Shared inboxes use delegation, not shared passwords

This post is part of the Minimum Security Posture series.

If you’d like a second set of eyes, I can run through this with you and point out the top risks in your setup—no pressure.

Share this post
X Facebook LINE