Why this matters
Every time you type your email address or phone number into a website, you hand over a key to you. It gets stored, it gets shared, and sooner or later it sits in a database that leaks.
This is not rare. When Erie Family Health Centers in Chicago was breached over the winter, the records taken included the names, phone numbers and email addresses of up to 570,000 people. That is one clinic. Across health care alone, 2025 brought 772 large breaches affecting around 138.5 million people. Your contact details sit in more of these lists than you would like, and there is nothing you can do to pull them back out.
The fix is not to stop signing up for things. It is to stop giving the same real address and number to everyone. Hand each site a mask instead: a unique alias email, and where it matters a spare number. The mail and the calls still reach you, the site never learns the real thing.
Three things change the moment you do. A breach spills an address you can switch off, not the one your bank uses. Spam arrives at a number you can throw away. And because each mask is unique, the day one starts drawing junk you know exactly which company leaked it or sold it.
Give every site its own disposable address and number. Keep your real ones for the few accounts that need them.
How a mask works
A mask is a forwarding address that stands in front of the real one. Nothing about how you read your mail or answer your phone has to change.
An email alias is a forwarding address. You generate a random-looking address, give it to a shop, and anything sent to it lands in your normal inbox. The shop stores only the alias. A masked phone number works the same way for calls and texts. You share the mask, calls and messages forward to your real phone, and your real number stays private.
Replies work too. With most services your reply travels back out through the alias, so the person reading it still sees only the masked address. A whole conversation can run without the real address ever appearing.
The one limit is worth stating plainly. A mask depends on the service that runs it. If that service closes, mail to its shared aliases stops arriving. That does not matter for a shop you joined once, and it matters a great deal for your bank, which is the line the rest of this guide draws.
Set up alias email
Email is the easy win, and for most people it is free. Pick one service, then make a fresh alias every time a site asks for an address.
| Service | Cost | Where it works | Worth knowing |
|---|---|---|---|
| DuckDuckGo Email Protection | free, unlimited aliases | any browser, iOS, Android | strips hidden trackers from forwarded mail; addresses end in @duck.com |
| Apple Hide My Email | free with Sign in with Apple, more with iCloud+ | Apple devices | addresses end in @privaterelay.appleid.com |
| SimpleLogin or addy.io | free tier, small fee for a custom domain | any device | open source, and a custom domain means no lock-in |
| Fastmail | part of a paid mailbox | any device | masked addresses built into a full email host |
Choose where your aliases come from
For a free start that works everywhere, turn on DuckDuckGo Email Protection, which gives unlimited addresses and strips hidden trackers on the way through. On Apple devices, Hide My Email is built into Sign in with Apple. For accounts that matter, set up aliases on a domain you own through SimpleLogin or addy.io, so you are never tied to one provider.
Generate a fresh alias at each sign-up
When a site asks for your email, create a new alias rather than reusing one. A browser extension or the built-in feature can fill a fresh address as you go, so it costs you little effort. One alias per site is what gives you the trace and the off switch later.
Confirm mail lands in your inbox
Send a test message to the new alias, or complete the sign-up and watch for the confirmation email. It should arrive in your normal inbox like any other. Now you read and file it exactly as you do today.
Answer through the alias, not around it
When you need to reply, send it through the service so the alias stays the face of the conversation. Replying from your real account by hand would undo the point, so let the alias carry both directions.
Aliases on a provider’s shared domain stop working if that provider disappears. For accounts you could not afford to lose access to, use an alias on a domain you own, or your real address. Never put your bank behind a free alias you might one day lose.
A spare phone number
A spare number is the second half, and it protects more than it first appears. Your number is one of the strongest links a stranger can use to find and join up everything about you.
A real number draws spam calls, helps data brokers stitch separate records into one profile, and is the prize in a SIM swap, the trick where someone moves your number to their own SIM and catches your text-message login codes. The companion guide Second Factor deals with that last danger directly. Handing out a spare number keeps the real one off the lists that feed all three.
What to use depends on where you are. In the United States, a free Google Voice number forwards calls and texts to your phone, though setting it up needs an existing US number. Firefox Relay masks a number across the United States and Canada, forwarding up to 50 minutes of calls and 75 text messages a month for 3.99 to 4.99 dollars. MySudo offers several numbers at once on a paid plan. Where none of these reach, a cheap pay-as-you-go SIM or an eSIM is the universal fallback, a second number you keep for forms and shops.
Hand the spare number to shops, loyalty cards, deliveries and online forms. Keep your real number for your bank, your doctor and the people you actually want to hear from.
Living with masks
A mask only helps if it becomes the default. The aim is that handing over a real address or number is the rare exception, not the reflex.
Make the alias the thing you reach for. A browser extension fills a fresh email alias as you sign up, and your phone can hold the spare number ready to paste. Once it is a habit, masking costs you nothing per site.
Keep a short, clear list of who gets the real details: your bank and anything to do with money, your government and tax accounts, your employer, your doctor, and anything legally tied to your identity. Everywhere else is masked without a second thought.
When an alias starts drawing spam, turn it off. The noise stops at your real inbox the moment you do, and you have learned something useful, since that alias names the company that leaked or sold you. Note it, switch it off, and move on.
Some accounts insist on a number they can verify, often by calling or texting a code, and they reject virtual numbers. Banks especially. Give those your real number and protect it with the steps in Second Factor, rather than fighting a mask through a wall built to stop one.
If something breaks
| Symptom | What to try |
|---|---|
| a site rejects the alias | A few sites block known alias domains. Use an alias on your own domain, or your real address if it is an account you cannot lose. |
| a site rejects the spare number | Some reject virtual numbers, banks most of all. Use your real number there and keep the mask for everywhere else. |
| you cannot tell which alias is which | Name each alias after the site, or use the service’s dashboard, which lists every alias and what it forwards to. |
| the alias service goes down | Mail to shared-domain aliases stops. This is the reason important accounts use an alias on a domain you own, or your real address. |
| one alias fills with spam | Turn that alias off. The sender, or someone who bought their data, leaked it. Your real inbox never saw it. |
Quick reference
| Want | Do |
|---|---|
| a free alias email | Turn on DuckDuckGo Email Protection for unlimited @duck.com addresses. |
| aliases on Apple devices | Use Hide My Email through Sign in with Apple. |
| aliases you keep if a provider closes | Use your own domain with SimpleLogin or addy.io. |
| a spare number in the US | Set up a free Google Voice number. |
| a spare number in the US or Canada | Use Firefox Relay phone masking. |
| a spare number anywhere else | Buy a cheap pay-as-you-go SIM or eSIM. |
| accounts to never mask | Your bank, government, employer and doctor. |
Common questions
The questions people ask before they start handing out masks instead of the real thing.
Will websites reject a masked email address?
Almost none do. An alias is an ordinary forwarding address, and the vast majority of sites treat it like any other. A small number block known alias domains. For those, use an alias on your own domain, or your real address if the account is one you cannot lose.
What happens if the alias service shuts down?
Mail to those aliases stops arriving. That is the one real risk, and it is why anything important should use an alias on a domain you own, through a service like SimpleLogin or addy.io, so you can point it at a new inbox. Keep your real address for the few accounts you could not afford to lose.
Can I reply from an alias without showing my real address?
Yes. With most services the reply travels back out through the alias, so the person you are writing to still sees only the masked address. DuckDuckGo and Apple both support this, so a full back-and-forth works without ever exposing the real address.
Isn't the Gmail plus trick enough?
Adding a plus tag to your address, such as you+shop@gmail.com, is free and instant, but your real address sits in plain view before the plus sign. A spammer or a data broker strips the tag in a second and is left with the real thing. A proper alias hides the real address entirely, which the plus trick never does.
Do I have to pay for any of this?
Not for email. DuckDuckGo Email Protection is free and gives you unlimited aliases, and Apple's Hide My Email is free through Sign in with Apple. A spare phone number usually costs a little each month, though a free Google Voice number covers it where that service is available.
Will a website detect and block a masked phone number?
Some do, banks especially, because they reject numbers they recognise as virtual. Keep your real number for those accounts and use the mask everywhere a number is merely convenient, such as shops, deliveries and loyalty cards.
Why bother masking my phone number at all?
Your number is a key to you. It draws spam calls, it ties separate data-broker records together into one profile, and it is the target of a SIM swap that steals your text-message login codes. A spare number you can discard keeps the real one off those lists.
Which accounts should keep my real email and number?
The few you cannot afford to lose or that demand verified contact: your main bank, your government and tax accounts, your doctor, and your employer. Give those your real details and protect them well. Mask everything else by default.