Email security is a topic that has been getting more attention in the media recently. We are also seeing a spike in instances of email based attacks at our customers and I believe that now is a good time to set the record straight on email. I will cut to the chase right here and say that email is not secure. Period. Are there ways to securely communicate using email as a part of the process? Yes. But email itself is inherently insecure and you should consider everything that you send in email as being public.
Why is email insecure?
The standards that we use for email originated over 45 years ago in the 1960’s. In those days it was a feat to just get a message reliably from one computer to another. Security was not even a thought back then and nobody could even dream that their room sized computers would be eclipsed by smart phones with more power than a mainframe. In the years since the original email standards were created we have come a long ways and standards have been updated.
The problem with such old technology is that we prioritize compatibility over security – especially when it comes to email. This means that even the most modern and secured email system must be able to use the oldest of standards in order to be sure that your message will be reliably deliverable to the other party. This enables you to have confidence that your message will get to it’s recipient without concern about what technology might be in use as the message traverses the internet.
Lets imagine a day that security was prioritized. Your company or email provider converted their email server to use a secure protocol and turned off all backwards compatibility. Encryption is setup end-to-end and messages are 100% secure. You now have confidence to send anything via email. But you email your spouse and the message never shows up. This is because their email server is not secured. You try to contact a business associate overseas and their country prohibits encryption and they cannot get your message either. It would not take long before you begged for your insecure email back since email is not very useful if you can only email a small number of people.
This means that the communications from your email server to the other persons email server uses very dated but reliable standards. These standards are inherently insecure. You are trading simplicity and compatibility for security.
But I hear about 100% secure email…
When people talk about secure email they are generally talking about using email as a delivery mechanism for some other form of communication. If you think about sending an excel spreadsheet to someone via email you should expect that the data in this spreadsheet could be intercepted and read by anyone. A solution to this might be to add a password to the spreadsheet. This will provide a very limited level of security since someone intercepting your message cannot just open the spreadsheet. (Please not that Excel passwords are easy to crack and this should NOT be used as a method for protecting data)
Secure Email Method #1 – Encrypting the contents
One method used to send truly secure messages is to encrypt the content. Programs like PGP can be used to create a key set, exchange public keys and encrypt data. When two people want to communicate securely they would do the following.
- Each person uses PGP to generate both a public and private key
- The two people email each other their public keys
- Person #1 writes a message and runs it through PGP using the public key provided by Person #2 to encrypt the message
- Person #1 puts the encrypted message into the body of an email and sends it to Person #2
- Person #2 Copies the encrypted message from the email and runs it through PGP using their private key to unencrypt the message
- Person #2 can now read the unencrypted message.
- This process (steps 3 – 6) is repeated for each additional message sent
So why don’t we use such a process for every email? You guessed it, the process is complex, time consuming, error prone and requires technical knowledge. Thus this is normally only used by super technical people and those who must use email to send highly confidential data.
Secure Email Method #2 – Only use email for notification
We have plenty of secure methods to share data on the internet. Today the most easy and ubiquitous method is through encrypted web sites. Whenever you see a website that starts with https:// the site is using encryption. This means we can use email to notify someone about encrypted data but offload the transfer of this data to a website. This is how most health providers comply with HIPAA.
The process goes like this.
- The party sharing data (Person #1) secures it on a website.
- The party receiving the data (Person #2) creates a login for the website and can access the website data via an encrypted connection.
- When Person #1 wants to send data to Person #2 they just post it on the website (behind a login and password)
- After the data is posted on the website, Person #1 sends Person #2 a message with a link to the data
- Person #2 now uses the link to login to the website and securely retrieve the data
You will likely have seen this process when you get information from your doctor. You have a login to the website setup and all you need to do is click on a link in email to get the data the doctor sent you. This process secures your data and removes risk from the doctor under HIPAA.
Make no mistake this process is not actually using secure email. The email is still insecure. The process allows data to be sent which is worthless to anyone other than the intended recipient. Thus you can secure the data without securing the email.
It gets worse… Who’s the sender?
We now understand that as the sender you need to be aware that others may be able to see your messages. But what about messages you receive? This is also insecure. Since we do not have any way to authenticate who sent a message we cannot be sure that a message is coming from the person we think sent it to us. This means that as a recipient we are never positive that the message we are reading came from the person we think it came from.
When you look at the header of an email message we see who it came from. The problem is that what you see in the header is completely customizable by the sender. A sender can make an email look like it came from anyone without much effort. It can look like it came from the IRS or your bank or even the President of the United States. This essentially means that you cannot ever trust that the sender of a message is who you think they are.
When email goes wrong
We all hear about various types of attacks where people have their files destroyed by RansomWare and times when others are scammed into sending money or information to a malicious actor. Many of these attacks begin via email since email is often the easiest place to inject malicious information and have the other person trust it’s source. Here are some examples of email going wrong.
Bank and company scams
Scammers will often pose as your bank, the government or some other company in order to get you to divulge information that they can use against you. By sending an email that looks like it came from a legitimate organization they will ask for personal data that can be used to impersonate you, open credit accounts or steal from you in some other way. Rarely should you be asked via email for personal data.
Phishing scams
Similar to the bank scam, a phishing scammer impersonates another person or company and then tries to lead you somewhere that you are not expecting. Often, they will point you toward a website that looks very similar to one you know as your bank or company. Once they get you there you try to login and they collect your login credentials or other data.
Software delivery scams
By impersonating a person or company this scammer tries to get you to open a file. This file may look like a spreadsheet from a coworker or an updated from a software vendor. Once you open the file you are infected with malicious software. Be aware of such scams each time you open an attachment. As a rule of thumb you should never open an attachment that you are not expecting. If you did not expect the attachment you should call the sender to verify prior to opening.
Money transfer scams
These scams take all sorts of forms. The commonality is that the scammer tries to make you believe that they are someone they are not and then have you send them money. These scams often rely on gift cards or wire transfers since these are hard to trace. Be aware that in some cases the instructions for sending money can actually be inserted into an email thread that originated with a legitimate communication. All the scammer needs to do is intercept a single email in transit and then use the text of that message to send their own message that looks like it came from the original person. The text of the previous messages can lure an unsuspecting victim into thinking that they are still communicating with a trusted source.
Summary
We live in changing times and there are scoundrels around every corner of the Internet. We should always be aware that each and every email may not be what it appears. Take time to look at each email and verify both the sender and the data within each message. The list below give you a few tools to help to keep yourself safe when sending and receiving email.
- If an email requests an action always be wary
- Don’t click on links you receive in email. The link may not go where you expect. If the message is from a company you know then go to their website in your browser without using the link.
- Before taking action from an email contact the sender to verify that they sent the message. Use another medium to contact them . (Phone, Text Message, etc.)
- Never wire money using instructions sent in an email!
- Never pay a company or government agency using gift cards or Western Union