Is Email Secure Enough to Send Sensitive Information and Attachments?

In an era dominated by digital communication, email is an integral part of our daily interactions, allowing us to effortlessly exchange messages and information across the globe within a few seconds. However, email was not initially built for the exchange of messages containing sensitive information and confidential data, so the question lingers ‘Is email secure enough for such purposes?’
 
The short answer to this simple question is no. Email is inherently insecure. But it is here to stay. And as our reliance on email grows, so does the risk of potential cyber threats, escalating the need for heightened security measures to safeguard your data.
 
The security of email is a common concern amongst our customers, often accompanied by questions such as 'what is an encrypted email and 'how is email encrypted'. This led me to wonder, how many individuals may not full grasp the potential threats they're exposing their data to. Drawing from my expertise in the field of security, I wanted to offer my insights into how secure email really is.
 
In the article below I’ll explain:
 

Protection network security computer and safe your data concept. Laptop working develop coding program with key on keyboard

Why People Use Email to Send Sensitive Information

With over 4.3 billion users, email still remains the most popular methods of communication today. According to the yearly report carried out by the Radicati Group, the total number of business and consumer emails sent and received on a daily basis in 2023, is over 347 billion and this is expected to grow to over 392 million by the end of 2026.
 
Quite simply email is an easy-to-use, ubiquitous technology that users have enjoyed for communications for years. Unfortunately, all too often users don’t understand the limitations of the technology, and to most casual users, email is fine and nothing to worry about as they have nothing to hide.
 

How Does Email Work? 

Email is a send and hope technology. There is no guarantee of delivery, no guarantee of security and email servers bounce back attachments which are too large. It doesn’t sound that good, does it?
 
Your email messages, whether sent through personal Outlook, Gmail, Hotmail, or company provided accounts makes its way to an email server and then starts its journey traversing the internet, passing through a network of networks to get to its intended recipient.
 
Not all networks and infrastructure offer the same level of security, or are operated by law abiding organisations, therefore what you’re sending is at risk of being compromised – the one exception to this is company email which never leaves a company network, and is delivered to another internal recipient, never touching the internet.
 
Whilst the security of email itself can be improved with the use of strong passwords, multi-factor authentication and mobile/laptop security, once it has left your network you have lost all control.
 

Why is Email Insecure?

Email insecurity doesn’t just apply to the message in transit to the recipient, although that is the focus of this post, it also incorporates where the messages are stored and we provide two examples where is email is a common attack vector for a business.
 

Reasons why email is considered insecure include:

  1. Unencrypted Communication: By default, email messages are sent in plain text, which means that the content of the email is not encrypted and can be intercepted and read by anyone with access to the email servers through which it passes. This lack of encryption makes email vulnerable to eavesdropping.
  2. Limited Authentication: Email addresses and accounts can be easily impersonated. Email systems often rely on basic username and password authentication, which can be compromised through phishing or brute force attacks.
  3. No End-to-End Encryption: While some email providers offer encryption in transit (e.g., using TLS), very few offer true end-to-end encryption. End-to-end encryption ensures that only the sender and intended recipient can read the message, and even the email service provider cannot access the content.
  4. Data Retention: Emails can be stored indefinitely on servers, which means that even if you delete an email, copies may still exist on various servers or backup systems.
  5. Malware and Phishing: Email is a common vector for spreading malware and phishing attacks. Cybercriminals can send malicious attachments or links in emails, tricking recipients into downloading malware or revealing sensitive information.
  6. Social Engineering: Emails are often used in social engineering attacks, where attackers manipulate individuals into taking actions that compromise security, such as revealing passwords or financial information.
  7. Lack of Control: Once you send an email, you have limited control over its security. You can't prevent the recipient from forwarding it or sharing it with others, potentially exposing sensitive information.

Who is Trying to Compromise your Data?

Threat actors, those looking to maliciously compromise your data aren’t always just hackers. Did you know that Government and email providers themselves also want to know what you’re sending?
 
Not commonly known but your email may be accessed by your email provider so that they can serve you more targeted advertisements. Up to late 2017 Google confirmed they were involved in these practices, but they were discontinued for ‘advertising purposes’. Google statement stopped short of stating they had stopped the practice completely. As an example, Gmail users have questioned how the ‘Smart Reply’ feature can provide canned responses if their systems are not reading the email message received!
 
Government surveillance practices of communication channels are commonplace. Whether that’s email, text or messaging applications, Government either mandate a backdoor or snoop on civilians’ communications, a quick google search of ‘Government email surveillance’ may provide an unwelcome surprise.
 
Hackers are widely known to compromise email using malware, phishing, and other social engineering practices. As their approaches become more advanced, an increasing number of accounts are hacked, and when an account is compromised various tactics can be employed, including:
 
  • Scam your email contacts with requests for money.
  • Spoof your email to obtain further information from known contacts
  • Access other online accounts where password information is available
  • Collect personal information for identity theft.
The implications of using email to send and store sensitive information can have long lasting implications should your email be intercepted, or account be compromised.
 

close up computer engineering writing programming code in database on laptop keyboard to protect and blocking spam email from internet and hacker for smart technology concept

What Information You Should Never Send Via Email

Hackers or cybercriminals are especially keen on certain types of information, and they need only a minimum amount to inflict considerable harm such as identity theft and other forms of cybercrime.
 
The data is collectively known as Personally Identifiable Information (PII), which refers to information that can be used to identify, contact, or locate an individual.
 
The following are common examples of PII, the sending of which should be minimised, with some exceptions as commonly used in email footers:
 
  1. Full Name: A person's first and last name is considered PII, as it can uniquely identify them.
  2. Date of Birth: Knowing a person's date of birth is often required for identity verification and can be used in combination with other information to commit fraud.
  3. Social Security Number (SSN): In the United States, the SSN is a critical piece of PII used for various financial and government-related transactions. It's a prime target for identity theft.
  4. Driver's License Number: This number is used for identification and verification purposes, and it's considered PII.
  5. Passport Number: Passport numbers are used for international identification and travel, making them highly sensitive PII.
  6. National Identification Numbers: Many countries have their own national identification numbers, which are considered PII. For example, the National Insurance Number (NIN) in the UK.
  7. Financial Account Information: Details about bank accounts, credit cards, and other financial instruments are PII. This includes account numbers, credit card numbers, and bank routing numbers.
  8. Mailing Address: Knowing a person's physical address can be used to locate them, and it's considered PII.
  9. Email Address: Email addresses can be used to contact individuals and are often linked to various online accounts.
  10. Phone Number: Phone numbers are used for communication and can also be linked to individuals' identities.
  11. Biometric Data: Biometric information such as fingerprints, facial recognition data, and retinal scans are highly sensitive PII.
  12. Medical Records: Information about a person's health, including medical history, treatment records, and health insurance information, is considered PII.
  13. Employment Information: Details about a person's job, employer, and income are PII.
  14. Education Records: Academic records, such as transcripts and student ID numbers, are PII.
  15. Criminal Records: Information about a person's criminal history is considered PII and is typically protected by privacy laws.
  16. IP Addresses: In some contexts, IP addresses can be considered PII, as they can be used to trace online activities back to individuals.
  17. Usernames and Passwords: While not traditional PII, access credentials can be used to gain unauthorised access to various accounts and systems, making them sensitive.
  18. Vehicle Identification Numbers (VINs): VINs are unique to each vehicle and are used for identification, making them PII.
  19. Social Media Profiles: Information on social media, such as Facebook profiles, can reveal a lot about an individual and is considered PII in the context of online privacy.

What You Should Do if You're Asked to Send Sensitive Information Via Email 

If you’re asked to send one of the types of information listed above via email to a company, ask them for a “secure method to share sensitive data, as email is insecure”, for evidence you could refer them to this article.
 
If no option is forthcoming, personally I would escalate the request to someone in a senior IT position at the company, citing the same reason. Depending upon your role in your organisation, it might be sensible to raise the point with a colleague in a senior position to raise with appropriate channels. Commercial relationships should treat exchanging data securely with respect, especially as it isn’t difficult, and the implications of a beach can be considerable.
 

Secure Options to Consider 

  1. Password Protect Attached Files: A common misconception is that in password protecting attachments they are secure. A quick online search will direct you to a myriad of articles on how to hack files that have been password protected. Whilst better than a plain email attachment, for a determined hacker this option presents little challenge.
  2. PGP Encrypted Emails: If you’re technical and the person you’re sending to is also technical, this option may work. However, for most email users downloading PGP software to create, encrypt and share keys, is not convenient or easy to implement.
  3. WeTransfer: A commonly used, simple online tool, WeTransfer is a hosted solution for the secure exchange of messages and files. Whilst simple, and this relates to a large majority of similar online tools, access to your messages and files might be possible by the service provider, your data is stored on servers you have no access to and copies of your data are often made to ensure availability in the event of service outages. Often called ‘shadow IT’ it serves a purpose but doesn’t satisfy compliance mandates such as the GDPR.
  4. FileCloud: A solution specifically designed for the purpose of secure message and file sharing. FileCloud can be installed alongside your email systems or licensed as a hosted service, providing end-to-end data security, visibility of transfers and when they’ve been accessed, and by whom. Major advantages include specific functionality to meet various compliance standards such as the GDPR, PCI-DSS and HIPAA, amongst others.
 

If your organisation needs to exchange messages and files with external entities which contain sensitive information, email should not be used. Pro2col, specialists in secure file sharing solutions, has various tools depending upon an organisations functional requirements and budget. Get in touch with one of our experts today, no matter how big or small your query - we're ready to help.

 

 

About the Author

  
James-headshot-new

 

James Lewis is the Managing Director at Pro2col, Independent Managed File Transfer Experts and the owner of the Certified File Transfer Professional (CFTP) training course. James' experience in MFT & B2B solutions has enabled the Pro2col team to work in partnership with SME's and leading global brands across a range of industries. 

Find out more about James here.