With so many account leaks, it’s time we start seeing emails as security keys too.
Most people think that if they are using unique passwords for every signup, they’re protected against data breaches, but that's not actually the case. Even if you change your compromised password, once your personal email is out in the open, you become a target for spammers, scammers, and identity theft.
Scammers will find everyday services that you use and they will send you phishing emails. They might say your password needs to be updated, your account will be frozen, you need to update your payment information, etc. The email will invite you to click on an official-looking URL that will take you to an identical webpage, which makes it difficult to spot that it’s fake. The aim is to persuade you to enter your personal information on the fake webpage and to steal your login credentials and/or payment information.
Here is an example: imagine your personal email has been leaked in a data breach. A scammer pretends to be an online service that you are currently using (in our case Mailgun - the service we use for sending transactional emails) and he sends you an email looking like this:
At first glance and without knowing much about phishing emails, you might say that this is a legit email. It has the exact template as a Mailgun email, it has the official logo and you can see all Mailgun's information at the bottom of the email.
However, looking closer might indicate that this is, in fact, a phishing email. The “View Ticket Details” link redirects to a non-secure domain which is http://app.mailgun.com.
Next, the email was sent from a 'mailgun.org' email address. You could easily think that the domain is legit since it’s so similar, or even assume that they are using a different domain for sending the email. However, that is not the case.
Lastly, if we look at the headers of the email, you can clearly see that this email was sent from 'buy-gadgets.xyz'.
As a more technical person, it's fairly easy for me to spot phishing emails and scammers. However, not everyone might be able to spot a fake email and risk having their personal information stolen. Most people simply don't have the time to carefully analyze every message which lands in their inbox.
This is why giving out your personal information, even your personal email is so alarming. People can use it to spam you, to try and scam you, to steal your identity and to hijack your accounts. Using a burner email for every service you use, makes it impossible for scammers to do that.
That is because, firstly, that account cannot be associated with you and there is no trace back to your personal email. The scammers might send an email to that burner address, but because the address of the burner is 'burner_for_this_service@burner.domain' you can easily spot that you weren't supposed to receive an email from Paypal on that burner. Once the burner address has been compromised you can easily disable/delete it and stop receiving all the scam email. However, if that was on your personal email, the scammer would keep on trying to scam you with different services: PayPal, Amazon, eBay, Spotify, Netflix etc.. hoping that one day you won't be as careful and fall for the scam.