Can Multiple Email Addresses Protect You From Cyber Thieves?

Stay safe online whether you have one account or many

Katherine Skiba,

AARP

Comments

En español

Published December 03, 2021

/ Updated August 12, 2024

A woman looking at a wall of email icons with an eye in the middle

Rob Dobi

In this story

One? Or more? • When you’re hacked • Spread out the risk • Email’s here to stay • 8 pro tips

Do we really need more than one email account?

For security and privacy reasons, many people choose to have a spare email. But in an era when data breaches are a dime a dozen, maybe that’s no longer a good idea.

Some experts say one account is perfectly fine, provided you build up your digital defenses. That begins with using:

• A unique, complex password or passphrase that you don’t use for another digital account, whether it’s for online shopping, financial matters or medical confidentiality.

• Two-step verification — also called two-factor or multifactor authentication— to sign into your account. That provides an extra layer of security in case your password is stolen.

Reports of people having their email accounts hacked or spoofed are all too common, says President and CEO Eva Velasquez of the Identity Theft Resource Center, a San Diego-based nonprofit.

“It happens on a daily basis,” she says.

What happens when a crook cracks your password

Hacking means cyber crooks have taken control of your account.

“They can see everything in your inbox. They can send from your inbox,” Velasquez says. “They change the password. You no longer have access.”

Spoofing, on the other hand, is when someone disguises an email address, phone number or web address, often by changing a letter, symbol or number. The phony email is tied to a different account.

Criminals count on being able to manipulate people into thinking spoofed emails are real, and that can lead unsuspecting victims to download malicious software, send money or reveal personal or financial information. You’ll see this in “account update” emails from shady entities saying they’re Amazon but really are on a phishing expedition for your info.

Take Gmail, the world’s largest email service with billions of users worldwide. Its robust defenses block 99.9 percent of spam, phishing and malware from inboxes, says Ross Richendrfer, a Gmail spokesman for security matters. Even so, he cautions, “we know bad actors are constantly looking for ways to break in.”

More than one email account is effective, but don’t overdo it

Cybersecurity is not one-size-fits-all, Velasquez says.

“If you’re tech-savvy and you have the skills and the ability to manage multiple email accounts appropriately, then that’s the best practice,” she says.

Don’t bite off more than you can chew. If a person sets up too many email accounts, the complexity may increase the risk of victimization, says Christopher Budd, director of threat research for global cybersecurity firm Sophos.

Budd likens a person with too many accounts to a homeowner who has a $20,000 security system but doesn’t know how to use it. The costly bells and whistles are not “going to protect you as well as a good deadbolt lock that you had installed and know how to operate,” he says.

Three is a magic number. Some people are comfortable with multiple email accounts. Tony Anscombe, the chief security evangelist with ESET cybersecurity, encourages people to maintain a separate email account but only for banking and financial transactions.

“It’s very, very rare that you hear of a bank or financial organization having a data breach,” he says. “That’s because they take cybersecurity so seriously.”

Anscombe suggests using a second email account for communicating with friends and family, and a third “throwaway” account — sometimes called a “burner” account — for party invitations, online discounts, newsletters and other noncrucial communication. If too much junk or spam floods the throwaway account, just delete the account and start a new one, he says.

Love it or hate it, email prevails

Even with texting, chat apps and other ways to communicate, email remains huge, according to The Radicati Group of Palo Alto, California, which estimated nearly 4.5 billion email users worldwide sent 362 billion emails a day in 2024.

At Gmail, Richendrfer urges users to consider a secure alternative to a password, like a passkey. It lets you sign onto Gmail with a fingerprint, face scan or device screen lock, such as a PIN. Unlike passwords, passkeys can exist only on your devices; they can’t be written down or accidentally passed on to a cyber crook.

Velasquez favors the use of consent-based biometrics for authentication purposes. Though people may be squeamish about it, your face isn’t a secret.

“You wear it outside every day,” she says. When people balk at providing a facial recognition scan, she reminds them that if you have a driver’s license, the state already has your photo.

8 more email tips from the pros

1. Keep your email addresses private. Share them only with those who need to know. Never incorporate personal information, such as your date or year of birth in your email address or password.

2. Change your passwords periodically.

3. Limit your sign-ups. A less-cluttered inbox will make it easier to detect sketchy emails, which you should ignore, delete and flag to your email provider. Also, don’t open suspicious emails, click on their links or open attachments within them. And if you receive a suspicious, unsolicited email, don’t hit “unsubscribe” since you could signal to a bad actor that your email is valid and active, Anscombe says.

4. Use a different sign-on name, not your email, when visiting websites to browse, shop or pay bills. And be careful what you share with merchants. If asked for your birthday, pick a random date, Velasquez says.

5. Never share the text or email authorization code that two-step authentication may require of you. Sometimes this is needed only when signing in from an unrecognized device. Cyber crooks will invent excuses to steal it from you.

6. Use antivirus software and perform security updates.

7. Look for the lock next to the domain name displayed by your browser when visiting a website. It’s like a website’s driver’s license. Click on the lock to ensure the site is genuine. For example: If you visit nordstrom.com, don’t make a purchase if what’s behind the lock says something unusual, such as n@rdstroms.com.

8. Consider checking out as a guest when shopping online, and think twice about having a vendor store your payment information. Anscombe says he never lets a merchant store his credit card information.

“I type it in. It’s a 16-digit number,” he says. “Don’t leave your data laying all over the internet because that’s in fact what you’re doing.”

Since cybersecurity isn’t simple, ask for help from a trusted person or entity. It’s not a sign of weakness.

“Leveraging the collective wisdom of your network is a show of strength,” Velasquez says.

Two good sources for information about cybercrimes and fraud are AARP’s Fraud Watch Network and the Federal Trade Commission’s IdentityTheft.gov.

This story, originally published Dec. 3, 2021, was updated with new statistics and cybersecurity recommendations.

%{postComment}%

Katherine Skiba is a contributing writer for AARP. She has reported for the Chicago Tribune, U.S. News & World Report and the Milwaukee Journal Sentinel, and is the author of a wartime memoir, Sister in the Band of Brothers: Embedded With the 101st Airborne in Iraq. She was a Nieman Journalism Fellow at Harvard University.