Obscure email addresses on your website for added security

There's an inferred understanding that you need to include your email address on your website so that you can easily be contacted by customers, service providers or other visitors to your website.

Just like having a front door and windows on your home is necessary, each entry point becomes a security risk. Unlike in the rest of the world, you can still get away in Godzone by not locking your doors and closing your windows when you step out, especially if you're based in the wops. Websites, however, are not just accessible to visitors from New Zealand and the physical aspects of securing your home at an international level need to be considered when thinking about your website and other places where your organisational information is generally available.

By including your email addresses on your website, you are essentially inviting spam into your email. This isn’t just frustrating, it also means that you’re mere emails away from receiving phishing emails and malware that threat actors (cybercriminals) hide in attachments.

This article is meant to explore some of the best ways of reducing the impact of having an internet presence.

The common problem

Most website management platforms allow you to simply type in an email address and it gets displayed on your website – exactly where you wanted it. It'll either look like this:


or like this.

The first option is, quite simply, the easiest way of presenting your email address on a web page, but you're making the job for threat actors as easy as punch! The only way you could make it easier is if you have all your staff email addresses in a nicely formatted table. That way they can use any number of tools to harvest your information from your website, including a simple Google sheet.

The background to this is that your website actually shows email addresses by using source code as follows:

<p>If you have any questions or suggestions, please contact us on:

<a href="mailto:hello@entity.nz">hello@entity.nz</a>.


From the website visitor's point of view, you couldn't get a simpler way of presenting your desired email address.

The problem with solving... the problem

Websites are MEANT to be user-friendly and the most commonly used methods used for hiding email addresses end up making it harder for legitimate users and don't actually make it harder for threat actors to harvest your information. Such approaches might involve hiding the email address behind some incantation of an envelope (), or by making it difficult to read (e.g. hello <at> entity <dot> nz). None of these approaches actually make it difficult for threat actors to harvest email addresses because their tools analyse the source code of websites (see above).

So then, how do I solve the problem?

For any approach to be successful, it needs to do the following three things, well:

  • Don't impact your legitimate website visitors. If it's difficult to read, your visitors won't contact you.
  • Make it usable for the website administrator to make changes. If it's difficult to use, it's only a matter of time before everything goes back to what it was before.
  • Make it difficult for a potential threat actor. You're only a visit away from a baddy, so make it difficult to automatically filter your data from your website.

You should also consider your Search Engine Optimisation (SEO). Website owners have been conditioned into believing that it's imperative to have their websites in the top 5 results of all the search engines from all four corners of the world. Here's the thing – if your website doesn't come up in a search result for someone not specifically looking for you, you're less of a target and you're doing a great job. That's not to say that you shouldn't appear in the top 5 results across all the search engines, but you only need to be there for the results that are relevant to your target audience.

Real options to mitigate the problem

Limit staff pages

If your information isn't there, it can't be harvested. Don't have staff pages and the only email addresses you're going to expose are the mandatory ones. Depending on your email address format, you could display information that doesn't link to your email addresses.

Using additional characters

Think of your favourite masquerade ball scene in a movie set in medieval times. Hide information in plain sight by using simple pieces of material and cheap adornments. Similarly, the internet is based on a language called HTML and there are some legacy throwbacks that were used early on when text-only pages were all there was. Any non-mainstream English character wasn't catered for, so developers needed a way to cater for additional characters. Some of these include:

  • The at symbol (@) can be replaced with &commat;
  • The dot in domains can be replaced with &period;

Using the example from above, you can have zero impact on your legitimate visitors by entering email addresses as below:

<p>If you have any questions or suggestions, please contact us on:

<a href="mailto:hello&commat;entity&period;nz">hello&commat;entity&period;nz</a>.



Threat actors are looking for email addresses that look like email addresses. There are some tricks you can have up your sleeve like hidden tags. HTML has a comment tag that doesn't get displayed in a visitor's web browser under normal circumstances. You can simply copy the comment block and paste it randomly anywhere inside the ordinarily visible text and your legitimate visitors will be none the wiser like this:

<p>If you have any questions or suggestions, please contact us on:

<a href="mailto:hello@entity.nz">hel<!-- pme@entity.nz -->lo@enti<!-- nothing@entity.nz -->ty.nz</a>.


The combined approach

Naturally, any and all the above can be combined at will. The more variation you employ, the more effective the overall solution will be.

Impractical options to solve the problem

Programmatic Approaches

There are a number of programmatic approaches, whether using frontend solutions such as JavaScript or backend solutions, but these impact their usefulness in a self-managed website. The idea is simple, but the implementation requires a certain level of programming ability – the more effective, the more adept at programming you need to be.

Captcha | Recaptcha | noCaptcha | etc

There are a number of libraries you can deploy that prevent certain text from displaying unless it is displayed in a normal web browser... ordinarily. The idea here is that most threat actors would be using scripts to harvest your data and having items that only display in certain circumstances would prevent that from happening when "browsing" your site with a script. The thing is, there are a lot of tools out there designed to bypass these captcha-esque utilities.

If you wish to discuss this with us, please do feel free to contact us.

Share :