Email has become an almost invisible form of identification that we use in creating account information, resetting password information, receiving notifications and confirming our identities with literally hundreds of other Internet applications.
Most users do not think of email as being at all high risk, and they therefore reuse their own private email address over and over again for both legitimate applications and temporary applications.
With increasing frequency, it will be hard to argue against using a new e-mail address each time you apply for an account due to the continued increase in data breaches and phishing scams.
The Growing Security Role of Email
Modern email is a primary source for many online security applications. In addition to emails themselves, attackers that have access to your email inbox will often be able to gain access to many other items you use to interact with websites and applications including password reset requests, account confirmation emails, and security alert notifications. As a result, email has become one of the most common places where people experience phishing and credential based attacks.
Email addresses are also collected by and stored on many different types of platforms, even those that may seem completely benign such as forums or content websites. If the data from these platforms is compromised in some way (i.e., stolen and then resold) and your email is included in this compromise, it may remain exposed for a very long time. It is very difficult to eliminate once your email is distributed to a large group of users.
Why Reusing a Personal Email Creates Risk
When you use your primary email account on multiple unrelated platforms, you are connecting together actions that don't have to be related. Therefore when using newsletters, or trying out trial versions of software, joining an online community, or testing out some experimental tool; they are all going to be linked by the same identifier (email address). The moment a single platform is breached in some manner; the attacker now has a base of operations which he/she/it can reuse for other attacks.
Furthermore, as you continue to receive unwanted emails (spam/phishing) it will be increasingly difficult to discern what messages are actually coming from someone who wants to communicate with you vs. a message that could potentially contain malicious content. As a result, there will be a higher risk of unintentionally interacting with content that may be malicious.
Disposable Email Addresses as a Practical Alternative
Disposable email addresses represent an easy method to mitigate this risk. Disposable email addresses are typically used for short periods of time and they are ideal for those who do not anticipate needing to communicate with the person for a long period of time. Disposable email addresses may be used to access gated content; register for a forum; test on-line tool functionality; participate in promotions; etc.
Using a disposable email address protects a user's primary inbox from being exposed when creating an account using the disposable address. If a disposable email address is ever used to receive spam or if it is listed in a breach, there will likely be no adverse affect to other accounts associated with the same user, as the disposable email address can be abandoned at anytime.
Disposable email services like Evap Mail allow users to create disposable inboxes very quickly and start using them without having to enter any information about themselves (i.e., registration information), which makes this option available to both technical and non-technical users wishing to limit their exposure to unwanted spam and/or identity theft while surfing on-line.
Security Benefits Beyond Spam Reduction
Disposable email accounts can provide many types of security advantages over permanent email accounts. One advantage is that disposable email accounts are not typically repeatedly contacted by spammers or phishers who use the familiarity of the recipient with the sender as part of their attack strategy. Disposable email accounts are typically only used once; therefore, it is unlikely that the account will be monitored after the first use. Therefore, even if the malicious message reaches the inbox, it is likely to be ignored due to the lack of monitoring of an inactive email address.
Another security benefit from using disposable email accounts is the reduction of the value of collected personal data. While temporary email accounts do contain valuable data (e.g., name, location, etc.) they have limited value for either financial gain or for creating a long term profile of the user.
When Disposable Emails Should Not Be Used
Disposable emails aren’t suitable for every situation. Accounts with permanent ties to your financial well-being (e.g., banks), employment (e.g., work) and other long term commitments will likely have a need for a steady email account with some form of secure way to recover your account. Therefore it makes sense to be selective in how you use disposable emails and only do so when using an email account that could potentially cause harm or provide an advantage if it were to remain active indefinitely.
Conclusion
Disposable e-mail addresses represent an incremental shift for users managing their own online security. Rather than relying on either trust (in a site) or platform policies to protect user privacy, users can control the level of risk they assume by limiting the amount of information that is associated with an account when it is created.
For the technically aware, this method will fit well into the larger context of best practices used to secure accounts (using a password that has never been used before, and requiring multi-factor authentication). As people continue to develop a greater sense of digital risk, using disposable e-mails is also likely to be accepted as a common practice, rather than being viewed as an unusual way to protect one's identity.
