Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Secure Is Email?

It was designed in simpler times.

Peek a boo!

Email is ubiquitous and convenient, yet surprisingly, not particularly secure. I'll look at why that is and when you should worry.
Question: My business requires the emailing of some sensitive information on a regular basis. I have spoken with my boss and co-workers about all of us using an encrypted email system, but no one seems to think there is a significant threat or danger out there to require these extra steps in security. Can you offer any data to help me convince them that this is a good idea?

Actually, I don't have hard data to say one way or the other. The risk varies too much on too many factors to present data that will apply in any specific situation.

But we can definitely look at some of the factors.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

How Secure Is Email?

Email was never really designed for the security we might need today. The good news is that most of us are not interesting enough to be at risk of being hacked. If you are, then secure alternatives, like encrypted attachments or not using email at all, are the most common solutions.

Practical risk

Your confidential business information scenario warrants consideration, but I want to discuss the case for the average email user first.

My experience is most people have an overinflated sense of risk when it comes to threats and technologies they don't understand.

Email, and how messages make it from your computer to mine when you press "Send", is something the average computer user not only doesn't understand but has no reason to understand.

As a result, sometimes threats that should be of concern are overlooked, and issues that are really no threat at all can prevent people from using the technology to its fullest – or cause them to avoid it altogether.

What is possible

By default, the content of email is not encrypted or obscured in any way. As it travels from your computer to your mail server to my mail server and finally to my PC, it's stored in formats that are easily read by anyone who has access and cares to do so.

Let's examine those two criteria in more detail.

Who has access to your email

Anyone who has access to the network, network equipment, mail servers, or PCs across which your email travels can potentially read your mail.

These people include:

  • Anyone with access to your machine has several ways they could examine your email conversations, from installing spyware to copying your mail folders to simply opening your email program and reading your mail.
  • Malware is just a special case of someone having access to your machine. The concern behind malicious compromise of your machine is that malware can gain access to more than just email. Even typing your message could be recorded if malware is present.
  • Other machines on your network may be able to see your email as it's transmitted between your machine and your mail server. I say "may" because it depends on how your network is configured. The most obvious is an open (unencrypted) Wi-Fi hotspot, where any machine connected to the hotspot can see the data sent and received by other machines on that same hotspot.
  • Your ISP can examine all the data you send and receive on the internet as a side effect of providing your connection to the internet.
  • Your email provider can examine your email as a side effect of providing your email service. The provider's own networking and hosting providers could be included as well.
  • Your recipient's ISP: just as your ISP can see everything you do, your recipient's ISP can see everything they do, such as receive the email you sent them.
  • Your recipient's email provider has the same access yours does.
  • Other machines on your recipient's network have the same issues as the machines on your network.
  • Malware on your recipient's machine puts your conversation at risk just as much as if it were on your machine.
  • Naturally, anyone with access to your recipient's machine can do whatever the recipient could, and thus could read, copy, or otherwise access your email conversation.

This seems like a long list of entry points at which your email could be exposed to prying eyes.

Why you needn't panic

When most people see the list above, they immediately focus on the items outside of their control.

I get constant comments implying (or flat out accusing) email providers and ISPs of maliciously reading emails they have no business reading.

In my opinion, that's unwarranted paranoia. These businesses are too busy to have the resources to do so and too competitive with each other to allow something like that to potentially become public knowledge.

That's not to say there aren't incidents of breaches from time to time -- formerly trusted employees have been fired or even jailed as a result. What I am saying is these are the exceptions rather than the rule.

Nope, the real risk (if there is to be any) is at the points you do control.

The risks are at the endpoints

I honestly believe the greatest risks are at the sending and receiving endpoints.

In other words, the actions of malware on your machine, or of someone walking up to it and poking around, or even your own actions misdirecting an email message, present a much greater risk than anything that might happen once the message is in transit.

As a result, the most important thing you can do to secure your email is to secure your computer and your own practices in dealing with your computer and the internet.

If there is risk, that is.

You're just not that interesting

I hate to break it to you, but you and I ... well, we're just not that interesting.

Even if people had an opportunity to read our email, they probably wouldn't. In all likelihood, 99.99% of all email is incredibly boring unless you're the sender or the intended recipient.

Even so-called "confidential" information isn't shared much via email. Just avoid emailing things like social security numbers, passwords, credit card numbers, and the like, and you'll be 99% protected right there. By now, it should be common knowledge that any email that asks you to reply with information that includes confidential information is almost certainly a phishing attempt. Sending that kind of information via email is a bad idea.

So don't do it.

Everything else you do in email is probably pretty boring stuff. I know mine is.

But what if you are interesting?

Your question included two very important words that might make things more ... interesting: "business" and "sensitive information".

Email privacy does start to make sense if you have legitimate reasons to be concerned that your email might be intercepted, and/or if the cost of such an interception is unacceptably high.

Banks and medical institutions are excellent examples.

So the first question you need to ask yourself is, "Am I really a target?" Most people are not. Most businesses are not. Many might think they are, but in reality, no one cares. On the other hand, if you're communicating sensitive things that are the focus of possible industrial, political, or personal espionage, then yes, you may have a legitimate concern.

The next question is, "What's the downside of someone else seeing this?" Again, in most cases, the cost is negligible: a little embarrassment at most. If, on the other hand, that information could cause serious damage in the wrong hands, then it's time to consider different approaches.

And as a business, if there are legal ramifications to information leakage (or actual laws, like HIPPA, requiring a heightened level of privacy and security), then whether actually warranted or not, you may be required to take additional steps.

You have exactly two options:

  • Avoid email
  • Encrypt it

Alternatives to email

The most important aspect of an email alternative is that you control or understand the entire path your sensitive information might take on its way from point A to point B.

My online brokerage is a good example. They do not email statements; they use email to notify me that a statement is available. I can then log in securely to my account on their website and download my sensitive information.

Not only is the path a direct one -- from their server to my PC -- but it's encrypted via https, so that even someone at my ISP watching the data stream would be unable to decipher its contents.

They control their server, I control my PC, and the path between the two is obscured from any third-party prying eyes.

You could set up access-controlled shares on your company's network or servers, or even go so far as to write a custom application requiring additional security to access the data, and you could impose a higher level of obfuscation on the data as it travels the internet.

Just make sure you have someone who is a security professional doing the work. It's easy to think you've done security right when you have not.

Encryption

The most practical solution for most people, which you are advocating for, is encrypting your data before it's emailed.

The problem here is that encryption schemes for email are not as interoperable as we'd like. If you can standardize a solution that works for all of your senders and recipients, then your email problem is mostly solved. (While some solutions are free, they often involve third-party software and periodic fees.)

If you're doing it on your own and your correspondents are running different email clients or even different operating systems, things get more difficult. Personally, I've not found a good solution that integrates well with various email clients. My approach instead is to send encrypted attachments. By that, I mean:

  • I write my message using a plain text editor or word processor, and save it to disk
  • I use a tool to encrypt that file. Candidates are 7-zip (using ZIP format and a password), PGP/GPG, and VeraCrypt, although there may be other viable alternatives. ZIP files are perhaps the most easily interchanged, and current implementations provide good encryption.
  • I email the encrypted file as an attachment to my recipient.
  • I also send to the recipient -- through a different channel -- the password or whatever other information they will need to decrypt the file.

It is somewhat cumbersome, but if you can agree on an encryption tool, it works in almost all environments and with any email client that can send an attachment.

You'll notice that encryption is a cornerstone of even non-email solutions.

Do this

If all this sounds like I'm skeptical ... it's because I am. In my opinion, most people who think they are targets are in fact not.

But if you really are a target, and if electronic communication is a necessity, then good encryption is a must. Things can be a little more complex than we'd like, but if it's important, you cannot simply ignore the risk.

It's one more reason why truly secure information is often best handled in phone calls or in-person meetings rather than email.

Here's something that doesn't need to be encrypted and will help you stay more secure: subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

47 comments on “How Secure Is Email?”

  1. There are email services available that use encrypted links by default. A list of providers and further discussion can be found at novo-ordo.com. While it is true, few people are targeted, I suspect the environment is becoming more hostile for the average Joe.

    Reply
  2. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    I don’t think so.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIKfNgCMEe9B/8oqERAtvJAJ9tMOQ/ZR5c94ps/s3MleIpj8RO9gCfbpST
    zspatixw/uu+i/BPrC5CarM=
    =XJ/5
    —–END PGP SIGNATURE—–

    Reply
  3. Yes, solutions can be expensive, but what is the cost when one of your associates in human resources sends your 15,000 employees’ SSN’s to the wrong address and it gets picked up by the media? Hosted off-site solution work, but add more critical components that must be safeguarded. If the hosting company has a leak, your customers still ascribe the blame to you.

    Consider options surround the choice to encrypt and whether to use a hosted solution very cautiously.

    Frank
    Strategic Data Management

    Reply
  4. E-mail is easy to intercept even on wired networks. Ever hear of ARP Cache Poisoning, DNS spoofing, or ICMP redirect attacks?

    All of the above can be used to intercept any type of unencrypted communication on a wired network.

    Even if you trust people on your network, a compromised server on the recipients mail server network could be used to intercept email.

    Being paranoid about sending private data via email is a *good* thing and is not just for the people who wear tin foil hats.

    There are many attacks other than sniffing too.

    Do you trust that your recipient has a secure password on their email account, or that their computer is virus free?

    Twitter learned this one the hard way, see: http://news.softpedia.com/news/Social-Engineering-Used-to-Compromise-Twitter-117172.shtml

    Sorry Leo, but you are dead wrong. I’d strongly recommend that you retract this article. It is really dangerous to tell people that it is O.K. to send private data via e-mail.

    Reply
  5. I agree with the others. the author has only considered one par of what constitutes a “risk”. In this case the liklihood of it happening.

    What he has not considered are the implications or severity of it happening. Brushing it aside under “Again, in most cases the cost is negligible … a little embarrassment at most.”

    “My business requires the emailing of some sensitive information on a regular basis. “

    This isn’t embarassment. It can lead to failed business, court cases, good knows what else. Anybody not implementing a simple email encryption procedure in these circumstances probably deserves everything they get.

    Reply
  6. It is true the most users or companies will net get attack, however, you’ll will not know when you are being attacked. Therefore, it is necessary to encrypt your sensitive data when sending email to outside of your organization (external parties). It is dangerous to say that post an article as such, because if you have an individual or acompany email messages got sniffed you became 100% vulnerable and therefore its too late for you and your data.

    Reply
  7. E-mails are able to be intercepted – period.
    Tools are available and have been since mid 2009.
    A study was released in early 2009 that showed that the average age of hackers “targeting” small mortgage brokers is 14.
    The chances of 95% of the e-mails sent have no intrinsic value to anyone but the sender and receiver.
    The reality is that the vast majority of the intercepted e-mails fall into two buckets.
    1- the e-mails that are never identified as being intercepted. How do you really know?
    2- incidents of e-mails that were compromised and were identified, but never officially reported as being intercepted.
    But those who send Highly Regulated Content (HRC) over the open public internet need to take appropriate steps to protect that data as there are potential legal/financial/regulatory consequences in the event of a breach.
    Specific language is now in some business liability insurance policies that exclude any coverage for any electronic transmissions (e-mails).
    There are cost effective solutions out there that transfer the risks associated with a breach of data in “the cloud”. Just need to do some digging

    Reply
  8. Internal email systems are often compromised by their administrators who find it easy and tempting to look at communication between their managers. There’s also the risks of misdirection, and the inability to revoke messages if you make a mistake.

    I sell http://www.safedrop.com to lots of government and legal clients, often people who have found out the risks of using email the hard way.

    Reply
  9. I can only recommend to test Opolis Secure Mail. – The sender decides what the recipient is allowed to do with a sent message. For example a mail cannot be forwarded or printed without permission. And the sender can constantly monitor sent messages. Finally, all emails are fully encrypted …. – and all for free! What else can one wish?

    Reply
  10. Leo, I was quite interested in the responses to your post, there are some paranoid nutters out there. I agree with you, intercepting emails is incredibly difficult. If you think otherwise please send me an application were I can type in an arbitrary email address and receive copies of the emails going to that address.

    Reply
  11. “Leo, I was quite interested in the responses to your post, there are some paranoid nutters out there. I agree with you, intercepting emails is incredibly difficult. If you think otherwise please send me an application were I can type in an arbitrary email address and receive copies of the emails going to that address.

    Posted by: Fred Habuckle at October 4, 2010 5:49 AM”

    Fred – are you serious? It is clear to me you don’t know very much about the field of networks, IP packet transfer, or data security in IT. Magical ‘applications’ like that do not exist, applications are constructed of layers of architecture that extends beyond the GUI.

    Just because sniffing personal/business emails isn’t as simple as entering text in an application and waiting for the reply, doesn’t mean it’s ‘incredibly difficult.’

    But, having studied IT and worked in the industry for a few years now, I’ve almost given up trying to educate the end user of this. Until I see comments like Fred’s and articles like Leo.

    Leo – your article is misleading and above all ignorant. Sending emails is NOTHING like online transactions, which use HTTP/s, in-house or OOTB e-commerce security, MD5-or-other encryption. Email, largely unencrypted has none of this. A little embarrassment? Try … loss of business, reputation, personal life impacting on getting a future job or keeping our current one, ex-girlfriends/boyfriends being able to find where we are – anything…

    I could explain more about how an email is constructed, packets and how they are stolen and rerouted but as far as it goes – I’ll make this analagy, it’s as simple as intercepting a courier carrying an envelope, yanking it off him and then opening said envelope.

    Reply
    • When I read things from the internet, I always check where the message comes from. Leo is a former Microsoft programmer. I understand his position. When you look at his other posts, there’s another article about “ads following users” you might want to disagree with.

      Reply
  12. Not sure, but I think it’s called “pgp” — hard to listen to an “expert” if he doesn’t know the right acronyms.

    GPG is the free/open source alterantive to PGP.

    Leo
    17-Apr-2012
    Reply
  13. A couple of points and a recommendation:

    1. Depending on your industry, encrypting e.mail may be required by a state or federal regulator.

    2. If you’re doing business in Massachusetts, or doing business with clients/customers in Massachusetts 201 CMR 17 requires confidential information (as defined by the act) to be encrypted if sent by e.mail.

    I recommend Ziptr (see http://www.ziptr.com). I’ve been using it since it was in private beta and it just works – simply and easily! If you can use e.mail, you can use Ziptr. And it is free for individuals. They recently released Ziptr Biz with some nice compliance features for business users, too. Check it out!

    Good luck!

    Reply
  14. I know that my email can be read by somebody along the line but I don’t care. I hope they enjoy the jokes. If it’s really that private don’t send it unless you have protection.

    Reply
  15. Encrypting a message at one end and decrypting at the other doesn’t really take that much time and effort.
    You can change the encryption key through snail mail, which I think is pretty secure. You can even encode the snail mail if the Illuminatti is watching you.

    Reply
  16. I always regard e-mail as “private” as a postcard.

    Telephone calls ditto. Particularly where one is a mobile.

    Sometimes I have sent, say, a password, but in such a case I send it in two parts, un-announced, and then send a third saying, “I have sent you the password by e-mail – the first part is in my second e-mail, the second part is in the first e-mail”. An eaves-dropper would not be likely to keep either of the first two, and a “spybot” would miss them both – particularly where I give a number in text, say 4483, as “forty four, eighty three” or “double four, eighty three”.

    Reply
  17. Friends were told that, despite their full contact list being hacked, their risk was minor to insignificant.
    I suggest they run Malwarebytes, Trend Micro HouseCall, Kaspersky Free or at least 2 of whatever they are not using. One does banking and other financial work on web – their bank and ISP said don’t worry – I’d worry – who’s right if there is such a thing?I’m already a subscriber of I’d get your book. I read the article = twice!

    Reply
  18. Leo, I did read the article – twice. An employer has forged e-mails and e-mail contents – is there a way to prove they have been forged? I am certain they don’t encrypt. They have also said other e-mails proving that they have broken the law have been deleted and therefore cannot be supplied in a data subject access request. The corruption is widespread in the company. I am reporting them to the ICO, but can they do anything to the ghost copies on the main server? Will it show that they have deleted the ghost-copies? Going forward, is it possible to encrypt e-mail messages in hotmail.com, or do I need to change my e-mail provider to one that will allow encryption? Is it possible to encrypt messages at a job, without the employer’s permission?

    Reply
  19. @LMac
    I can’t answer the questions you ask, because I don’t know anything about the legalities of what you’re asking, but as to your question about encrypting messages on your work computer, I wouldn’t type anything on a work computer that I wouldn’t want my employers reading. They have the capability of monitoring every keystroke you type on their computer. Knowing this is possible, I’d behave as if they were watching.

    Reply
    • I used to work at a major hotel chain. I knew employees who were terminated for inappropriate use of the company email and network. The guy that used to visit sports betting sites (even on his own time at lunch hour) comes to mind. Never, ever use a company computer for anything personal.

      Reply
  20. Leo
    Your archive is huge and includes many items from obsolete or obsolescent operating systems such as Win98 and Win XP.
    Could you install some kind of filter, so that our trawl is reduced ?
    Warren Crawford

    Reply
  21. The section titled ‘You’re just not that interesting’
    Any plans on changing/updating this in light of the Snowden leaks??

    Reply
  22. There are messaging apps which use end-to-end encryption. Some (probably most) of them also encrypt attachments, and if you want to correspond confidentially with someone, you could use one of those. Couldn’t someone, using similar technology, develop a business capable messaging system? The problem would be interoperability as the key exchange issue is the bottleneck to ubiquitous encryption between different providers, but eventually, I hope, enough resources are put into making this work.

    Reply
    • There are also free email services that will allow you to send encrypted (password-protected) emails to non-encrypted email addresses. Hushmail & Proton Mail are 2 such examples.

      Reply
  23. I believe email is absolutely as secure as a billboard alongside the interstate highway in any major city.
    Think I5 in Los Angeles or I95 in NY City.

    Reply
    • Uh, no.

      That analogy would hold true for Usenet (does anyone here still remember that?), but it sure isn’t valid for E-Mail, which (barring mistake, misfeasance, or malevolence on the part of the recipient) must first be intercepted before it can be read by anyone except its sender & recipient.

      It is true that E-Mail is much easier to intercept than other forms of Internet communication, and sometimes that interception may even be inadvertent (!); and the other problem is that once interception of an E-Mail has occurred, there is (usually) nothing whatsoever protecting it.

      But an interception of some kind is required before an unauthorized person sees it at all. Hey, let’s not make the problem any more terrible than it already is! :(

      Reply
  24. Leo,
    I have been a subscriber for years and thoroughly enjoy your emails.
    You didn’t mention, nor did I find after a quick perusal of the comments, anything about using a password on the docs being emailed. I receive and send out sensitive tax docs and use password locked documents.
    Maybe this is unsafe as well?
    Will

    Reply
    • Leo did mention encrypted attachments in the article. In fact, he included it in the article summary:

      “Secure alternatives, like encrypted attachments or not using email at all, are the most common solutions.”

      and in the body of the article
      “My approach instead is to send encrypted attachments. By that, I mean:
      – I write my message using a plain text editor or word processor, and save it to disk
      – I use a tool to encrypt that file. Candidates are 7-zip (using ZIP format and a password), PGP/GPG, and VeraCrypt, although there may be other viable alternatives. ZIP files are perhaps the most easily interchanged, and current implementations provide good encryption.
      – I email the encrypted file as an attachment to my recipient.
      – I also send to the recipient — through a different channel — the password or whatever other information they will need to decrypt the file.”

      Reply
  25. Thank you for your years of helpful comments and information.

    I just want to correct your reference to the medical privacy laws which is often incorrectly abbreviated, as you did. It is not HIPPA, but is HIPAA-The Health Insurance Portability and Accountability Act of 1996 (HIPAA).

    Thanks again.

    Reply
  26. Many are missing the weakest link in e-mail. Clicking on amail links that look legitimate that are sent to you or your employees. They often look legitimate but they are not! A company that I worked for as a mechanic and occasional computer guy got hit twice by ransomware by employees clicking on links. The first time, there were backups and we were back online by the end of the day. I kept a check on the backups to make sure they were occurring regularly.
    The 2nd time it occurred, I had left and no longer worked there. No one was watching the backups and, due to a hard drive failures on a backup device, the backups were no longer working. They had to reinstall software and rebuild the data. I got calls to try and help but without the backups, I was not going to get involved.

    Reply
  27. I have a problem and would like to ask you for help. Not sure where to ask this- I’ve had a Thunderbird email account for several years and saved emails from 2014 in it. It’s been synched with my live.outlook.com account until Nov. 2021. I just tried to access it and it won’t take my password. I can still open emails in the folders they are stored in. Is there any hope to salvage this account. I think it may have something to do with Microsoft’s new security features. Your advice is much appreciated. I’ve been getting your emails since 2013, and appreciate your expertise very much. Thanks you, Leo.
    Faye Pedersen

    Reply
    • I would start by

      • Backing up your Thunderbird folders
      • Seeing if you can access the account online at outlook.com

      If you can’t access the account online, then regaining access online is the first step.
      If you can, then I’d ask if you have two factor authentication set up? You may need to configure an “app password” for use by your Thunderbird configuration.

      Reply
  28. In the “Who has access to your email” list, you forgot to mention all the relays between the sending and the receiving servers: all the SMTP relays, all the switches in between see the traffic and can easily analyse it and copy it. Analysing the traffic using keywords (“login”, “password”, “account” for instance) is easy, and doesn’t require huge means.
    Email is unsecure by design: it’s a message in a glass bottle sent on the Sea of Internet arriving “magically” to the recipient. Never use it to send confidential and/or sensitive information.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.