Ever since the Real ID friend system was announced, players have voiced concerns about hackers and phishers exploiting this system. They're worried that hackers will move through a group of Real ID friends like a wildfire during a drought. While it is always good to have concerns about account security, sometimes paranoia is a bit too much.
Yes, you do need your friend's email address to add them as a Real ID friend. However, that is the last time you'll ever see that email address in your game client -- once you hit the "Send Request" button, that's it. There is no way to look up that person's email address from the interface again. The only personal information in the client after that is your friend's name.
Just remember that this system is meant for your real-life friends and family and not for some guy who was a good healer in your ICC PUG last week. If you don't know where to go to knock on the person's door if something happens to your account, then don't share your email address.
Filed under: Account Security