It seems like every other month there’s a massive data breach.
My main email address was revealed in four massive hacks within the last few years (Adobe, Dropbox, LinkedIn, and Trillian) according to haveibeenpwned.com, a project by Microsoft security expert Troy Hunt. My main email address is the one I used when I registered for all of those services.
I was sick of, and nervous about, having to change my credentials at every single financial institution. Was my money going to get stolen? What else was going to happen?
That’s when I decided to take a page out of my days working as a defense contractor. I would start using a “classified email” address.
What Is a Classified Email Address?
I bet you have a junk email address. I have one too.
You use it to sign up for services or newsletters that you’re not sure about. You probably use it to sign up for emails from retailers when they offer you 10% off your order. It’s a great way to make sure your daily email address, the one you may use with friends and family, doesn’t get bogged down with a ton of commercial email. In fact, you may have just recently started doing it and are using SaneBox to get your regular email address back under control!
You have a junk email address but do you have a “classified” email address?
A classified email address is the opposite of your junk email address. It’s your super secure, never let it out of your sight, never tell anyone it exists under penalty of death email address.
Email addresses are free, outside of a minute to register a new account, so there’s no cost to doing this exact same thing.
What It’s For
It’s for all your financial accounts and only your financial accounts. Your bank accounts, your brokerage accounts, and any other account that gives you access to your money. If you log in and can transfer money, it needs the secure email address.
It is not for financial aggregators like Mint or its competitors that may access your accounts on a read-only basis. I trust the security of those places but the fewer places you use it, the better.
It is not for your credit card accounts. Those are technically financial services but access does not threaten your finances in the same way. At worst, they could pay your bill but it doesn’t give them access to your money. That’s why I don’t use it for credit card accounts.
Services that allow you to transfer money, like Paypal and or its competitors, are borderline as to which email to use. My strategy is to use a regular email address but “firewall” those accounts with a near-empty bank account. If they are breached, thieves can’t empty my main account because Paypal is only connected to a small balance.
Everything else gets your regular email address. This also means that when it comes time to manage your finances, you only go to your classified email address and not have to wade through “other” emails to get your work done!
How to Use It
I use it as the only email address of those secure accounts and I never use it anywhere else.
This ensures two things:
- I am never fooled by an errant phishing email to my regular email.
- It won’t get revealed in a third party data breach.
Oftentimes, when a thief gets an email address it’s because a third-party database is breached. They don’t usually break into a major bank’s database, it’s usually some less secure website with weak security protocols. Since my secure email, which I know is the only point of contact with my bank, is only used in secure situations it will never be revealed in that type of hack. Since I don’t use that email with other people, it can’t be discovered in an address book because a friend was sloppy about security.
I never log into that email address unless I’m at home on my home computer, without exception. I don’t use business centers at hotels, I don’t use my laptop, and I don’t use my phone.
I don’t use business centers – they are notoriously insecure.You have no idea if someone has installed a keylogger on the machine, either on purpose or inadvertently downloading emojis, some jewel game, or a stupid toolbar. I don’t use it on my laptop and my phone as a matter of discipline. I want to keep it to a single device that is always under my control. No one else uses that machine so if something happens I only have myself to blame.
Lastly, remember to turn on two-factor authorization (2FA) on all of your financial accounts. Most of the most reputable banks and brokarages offer this. Data breaches occur in a variety of ways but turning on 2FA and using your phone as the confirmation mechanism means you’ll have a little bit of extra protection in place in case you are breached. Do not use another email address as your confirmation mechanism, you want to keep everything as segregated as possible.
This may seem like overkill. If you’ve been fortunate to have avoided any of these breaches, it will feel like I’m being very tinfoil hat in my approach. If you’ve experienced it just once, you know the sense of dread you feel when you’re changing the password for your bank account where all of your money is stored. This is a small step to take to ensure you don’t feel that way again.