Over 3.4 billion phishing emails are sent every day. 68% of cyberattacks start with a malicious email. The average phishing breach costs $4.9 million and takes 254 days to identify and contain.
These are not projections. These are the numbers from the first quarter of 2026.
AI has made it worse. AI-generated phishing emails now account for over 40% of all reported phishing attempts, and they have a 60% higher click rate than traditionally crafted ones. They are grammatically perfect, personally targeted, and nearly indistinguishable from legitimate messages.
This checklist covers what every professional should be doing right now to protect their email accounts, their data, and their organization. No jargon, no enterprise-only advice. Just the things that actually matter.
1. Enable Two-Factor Authentication on Every Account
This is the single most effective thing you can do. If your email account only requires a password to log in, it is vulnerable. Passwords get leaked in data breaches, guessed through credential stuffing, or stolen through phishing. Two-factor authentication (2FA) adds a second layer that makes stolen passwords useless on their own.
What to use:
Best: Hardware security keys (YubiKey, Google Titan) or passkeys. These are phishing-resistant because they verify the website's identity before authenticating.
Good: Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy). These generate time-based codes that change every 30 seconds.
Avoid if possible: SMS-based 2FA. SIM swapping attacks can intercept your text messages. It is still better than no 2FA, but it is the weakest option.
Where to enable it:
Gmail: Google Account > Security > 2-Step Verification
Outlook: Microsoft Account > Security > Advanced security options > Two-step verification
Apple ID: Settings > Your Name > Sign-In & Security > Two-Factor Authentication
If you manage a team, enforce 2FA for all users without exception. 33% of employees are susceptible to phishing at baseline, but organizations that implement security training and enforce 2FA see susceptibility drop by over 86% within a year.
2. Stop Using App Passwords Unless You Absolutely Have To
App passwords are static passwords that bypass 2FA for apps that do not support modern authentication. They were designed as a bridge, not a permanent solution. If you are still using app passwords for email clients, calendar apps, or third-party tools, you are creating a backdoor around the 2FA you just enabled.
What to do instead:
Use email clients and apps that support OAuth 2.0 authentication. OAuth lets you grant an app access to your email without sharing your password. The app gets a token, not your credentials.
Review your app passwords right now. In Gmail, go to Google Account > Security > App Passwords. In Outlook, check Microsoft Account > Security > App Passwords. Delete any you do not recognize or no longer use.
Microsoft is fully deprecating Basic Authentication (which includes app passwords) by April 30, 2026. If you are still relying on it, your access will stop working.
Why this matters: An app password is a static credential that never expires and bypasses 2FA. If it leaks, an attacker has persistent access to your email until you manually revoke it. OAuth tokens can be scoped (read-only vs full access) and revoked centrally.
3. Audit Your Connected Apps and Permissions
Every time you click "Sign in with Google" or "Allow access" on an OAuth popup, you are granting an app permission to your email data. Most people have granted access to dozens of apps over the years and forgotten about most of them.
One of the biggest threats in 2026 is "consent phishing," where attackers create convincing OAuth popups that trick users into granting malicious apps permission to read their email.
What to do:
Gmail: Go to myaccount.google.com/permissions and review every app that has access. Remove anything you do not actively use.
Outlook: Go to Microsoft Account > Privacy > App Access. Review and revoke apps you do not recognize.
Check what permissions each app has. "Read your email" is very different from "Read, send, and delete your email." If a note-taking app has full email access, that is a red flag.
Do this audit quarterly. It takes five minutes and closes access paths you forgot existed.
4. Recognize AI-Generated Phishing
The old advice of "look for spelling errors and bad grammar" no longer works. AI-generated phishing emails are polished, contextual, and often reference real information about you or your organization.
What AI phishing looks like in 2026:
Perfect grammar and professional tone that matches the impersonated sender
References to real projects, meetings, or people from your publicly available information (LinkedIn, company website, social media)
Urgent requests that create time pressure: "The invoice is overdue," "Your account will be suspended," "The CEO needs this by end of day"
Links that look legitimate but redirect through multiple domains
QR codes in emails (QR-based phishing increased 400% between 2023 and 2025)
What still works:
Hover over links before clicking. Check that the domain matches the sender's organization.
Verify unexpected requests through a different channel. If your "boss" emails asking for a wire transfer, call them.
Be skeptical of urgency. Legitimate organizations rarely threaten immediate consequences in an email.
Never scan a QR code from an email unless you independently verify the sender.
Check the sender's actual email address, not just the display name. "John Smith" can display as the name while the actual address is randomstring@suspicious-domain.com.
5. Set Up Email Authentication for Your Domain
If you send email from your own domain (yourname@yourcompany.com), you need three authentication protocols configured. Without them, anyone can send emails pretending to be you, and major email providers will increasingly reject or spam-folder your legitimate messages.
The three protocols:
SPF (Sender Policy Framework): A DNS record that lists which servers are allowed to send email from your domain. If someone sends an email claiming to be from your domain but from an unauthorized server, the receiving email provider knows it is fake.
DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to your outgoing emails. The receiving server can verify that the email was actually sent by your domain and was not tampered with in transit.
DMARC (Domain-based Message Authentication): Tells receiving servers what to do when SPF or DKIM checks fail. You set a policy: none (monitor only), quarantine (send to spam), or reject (block entirely).
How to implement:
Start with a DMARC policy of p=none to monitor who is sending email from your domain. Analyze the reports for a few weeks to identify legitimate senders you may have missed. Then move to p=quarantine, and eventually p=reject when you are confident all legitimate senders are authenticated.
Google began rejecting non-compliant bulk senders in November 2025. If your domain sends newsletters, marketing emails, or transactional messages without SPF, DKIM, and DMARC, your deliverability is already suffering.
6. Do Not Mix Personal and Work Email
Using your work email to sign up for personal services (shopping, social media, newsletters) exposes your corporate address to more data breaches and more phishing. Using your personal email for work-related communication puts sensitive business information in an account with weaker security controls.
The rule is simple:
Work email for work communication only
Personal email for personal accounts and subscriptions
A separate throwaway email for signups, trials, and services you do not fully trust
If you manage multiple email accounts across providers, use a unified inbox tool that lets you see everything in one place without mixing the accounts themselves. This way you get the convenience of a single view without the security risk of cross-contamination.
7. Encrypt Sensitive Email Content
Standard email is not encrypted end-to-end. When you send an email through Gmail or Outlook, it is encrypted in transit (TLS), meaning it cannot be intercepted between servers. But once it reaches Google's or Microsoft's servers, they can technically read it. For most emails, this is fine. For sensitive content (financial information, legal documents, medical records, personal identification), it is not.
Your options:
Gmail Confidential Mode: Lets you set expiration dates and prevent forwarding, copying, and downloading. Not true encryption, but adds access controls.
Outlook Message Encryption: Available with Microsoft 365 subscriptions. Encrypts the message so only the recipient can read it.
ProtonMail or Tuta: End-to-end encrypted email providers where even the provider cannot read your messages.
PGP encryption: Available through clients like Canary Mail. Strong encryption but requires the recipient to also use PGP, which limits practicality.
For most professionals, the practical approach is: use TLS for routine email (it is on by default), use your provider's built-in encryption for sensitive messages, and consider a privacy-focused provider for communications that require the highest level of confidentiality.
8. Secure Your Email on Public and Shared Networks
Checking email on public Wi-Fi at a coffee shop, airport, or hotel is common. It is also risky. Anyone on the same network can potentially monitor your traffic, intercept login credentials, or redirect you to fake login pages.
What to do:
Use a VPN when accessing email on public Wi-Fi. A VPN encrypts all traffic between your device and the VPN server, preventing network-level snooping.
Verify you are on the legitimate Wi-Fi network. Attackers create fake hotspots with names like "Airport_Free_WiFi" to capture credentials.
Avoid logging into email on shared or public computers. If you must, use a private/incognito browser window and log out completely when done.
Enable automatic screen lock on your devices. If you walk away from your laptop at a coffee shop, an unlocked email account is an open invitation.
9. Back Up Your Email
Your email is not permanently safe just because it is "in the cloud." Google and Microsoft both have terms of service that allow them to suspend accounts. Ransomware can encrypt your local email client. Accidental deletion happens. Account takeover can result in an attacker deleting your entire inbox.
What to do:
Gmail: Use Google Takeout to download a complete copy of your email in MBOX format. Schedule this quarterly.
Outlook: Export your mailbox to a .PST file through File > Open & Export > Import/Export.
For automated backups, consider services like Backupify or SysCloud that continuously back up your cloud email to a separate location.
A backup you never test is not a backup. After exporting, verify you can open and read the archive.
10. Review Your Security Settings Every Quarter
Security is not a one-time setup. Threats evolve, settings change, and new apps get connected. A quarterly review takes 15 minutes and catches problems before they become incidents.
Your quarterly checklist:
Review connected apps and revoke unused ones
Check your recovery email and phone number are current
Review recent account activity for unfamiliar logins or locations
Verify 2FA is still enabled and your backup codes are accessible
Update your password if you have not changed it in over 6 months
Check your email forwarding rules to make sure no one added a silent forward to an external address (a common post-compromise persistence technique)
Review your SPF, DKIM, and DMARC records if you own a domain
The Bigger Picture
Email is the front door to most of your digital life. Your bank sends password resets there. Your employer sends confidential documents there. Your government sends tax information there. If someone gets into your email, they can access almost everything else.
The checklist above covers the fundamentals. None of it is difficult. Most of it takes minutes. But the difference between someone who has done these steps and someone who has not is enormous when an attack happens.
Start with 2FA if you have not already. That single step stops the majority of account takeovers. Then work through the rest at your own pace. Every item you check off makes you a harder target.
SmartMail connects Gmail and Outlook into one platform with AI-powered email management and privacy-first security. Your data is never used for AI training. Try it free.