Skip to navigation
Real World Computing
Keys on at sign

Publishing your email address isn't a security disaster

Posted on 30 Apr 2012 at 11:25

Davey Winder says businesses have no good reason to hide their email addresses online

Every now and then, some well-meaning but completely bonkers advice comes my way from a most unlikely source.

I wasn’t too amazed when an elderly relative of mine expressed surprise that his PC was heavily infected despite the installation of internet security software years ago. It didn’t particularly faze me to discover a man who thought he knew everything there was to know about computers, but who didn’t realise that you have to pay your annual subscription fee to continue receiving threat protection database updates.

I was fazed, though, when an IT security vendor seemed to be suggesting that a business that publicly reveals its email address is somehow compromising data security and putting itself at risk. I understand that risk is relative, and an exposed business email address creates a corporate data security risk – from social engineers, phishers, hackers and cybercriminals – than if no such email contact points were disclosed.

The cherry on top of this farrago of nonsense was the advice to employers to discourage staff from sharing email addresses on Twitter

However, I also understand that the dictionary definition of an address is a place where a person or organisation can be found or communicated with, and that’s just as true of a street or an email address. The point of having a business email address is to enable people, including potential as well as existing customers, to get in touch with you, and there’s no point having one at all if you don’t let anyone know what it is.

So what on Earth were the folk over at the Websense Security Labs on about when they informed me that “thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter”, and which went on to argue that because those addresses are “connected with their inboxes, social media identities and bank accounts”, it leaves these business users exposed to the potential for “advanced social spear phishing attacks”. The cherry on top of this farrago of nonsense was the advice to employers to “re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter”.

To be honest, I think that in this particular case the security vendor was well intentioned, but perhaps got a little carried away while preparing its email security risk message. Yes, indeed, there are people out there with bad intentions, who target business users on social networks in order to infiltrate their systems using an old social-engineering strategy known colloquially among security types as “spear phishing”. It’s so called because such an attack is focused upon an individual within a specific department, rather than adopting a scattergun approach to the problem of how to get a RAT (remote access trojan) or similar piece of malware installed within the corporate network security perimeter.

By concentrating upon a vulnerable individual, especially one who is active on Twitter or Facebook, it’s possible to build up an accurate profile of that person both personally and, most importantly, professionally. Assuming the targeted person hasn’t opted to make their information available to only friends, for example, it’s all too easy to quickly scan through their friends list and, after putting in a bit of graft, compile a dossier of work colleagues and customers.

Link this information to conversations posted to the target’s wall on Facebook, and that previously mentioned business email address, and the bad guys have the ammunition required to impersonate someone already known to that employee. Exploiting this basis of trust allows the attackers to then attach an “important document” or a link to something they may be interested in, and by so doing solicit the vital click that installs malware.

So, yes, I can see where the Websense chaps were coming from, but I’m afraid that it all sounds a little bit too Chicken Little for me. The sky will not fall in if you post your business email address on Facebook, and acceptable use policies shouldn’t be altered to make doing so a hanging offence. Especially since it’s oh-so-easy to guess specific email addresses, given the standard address format used by just about every company, which is going to use one of only two or three formats.

Tracking down which is used is only a matter of visiting the company’s website and taking a quick look at the “about us” page, or the list of contact options for the directors or sales executives.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site

1 2
Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments


You can attract loads of spam and / or have your email address hijacked and used by spammers if you publish it in a machine readable form on your website though.

I regularly found my inbox full of 'undeliverable message' messages until I hid my address behind a third-party contact form.

By Pantagoon on 30 Apr 2012

Well the less I say about websense the better as from our dealings with them they have been found wanting in many areas.

But back to the matter at hand I have to agree and I think the websense guys may have this a bit muddled.

It's good sense to not publish the emails of individual employees but it's perfectly desirable to publish a public company email like info@ or sales@ as these are valid contact methods that people need to know about but these types of emails don't need to have any specific network accounts/privileges or indeed be used with relation to banking or for social media or any other external or sensitive accounts.

Indeed good policy would be to have different specific email addresses for non public use. This way you can be more secure and still be contactable.

It all down to some common sense. I really wish more advisers would stop making dumbed down general type recommendations and start educating people properly.

And people need to stop expecting all advise to be very short and stupidly simple. It shouldn't be overly complicated either but it's just a matter of people being willing to learn a little.

You should be able to say something like, "We advise that while it's ok to put public facing email addresses out there, for your business security you shouldn't use any of these email addresses for sensitive things."

By koshthetrekkie on 30 Apr 2012


I have a Website and I remember many years back that I got loads of spam to my domain - you can't believe the amount of spam I was getting, rubbish how it got to understanding that spammers harvested my domain mail address from my main page as it was there in plain sight, since then it's well hidden with some JavaScript I found to use for hiding. why do you think addresses can't be harvested from Twitter? Bit funny, the addresses are served there on a silver platter from what I see, sounds like an opportunity for email harvesters I would say

By Jodys on 1 May 2012

Leave a comment

You need to Login or Register to comment.


Davey Winder

Davey Winder

Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.

Read more More by Davey Winder


Latest Real World Computing
Latest Blog Posts Subscribe to our RSS Feeds
Latest News Stories Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.