Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Just How Secure Is Email, Anyway?

My business requires the emailing of some sensitive information on a regular basis. I have spoken with my boss and co-workers about all of us using an encrypted email system, but no one seems to think there is a significant threat or danger out there to require these extra steps in security. Can you offer any data to help me convince them that this is a good idea?

Actually, I don’t have hard data to say one way or the other. The risk varies too much on too many factors to really present data that’ll apply in any specific situation.

But we can definitely look at some of the specific factors.

Become a Patron of Ask Leo! and go ad-free!

Practical risk

Your scenario of confidential business-related information warrants some consideration, but I want to first discuss the more general case for the average email user.

To be blunt, my experience is that most people have an over-inflated sense of risk when it comes to threats and technologies that they don’t understand.

And to be sure, email and how messages make it from your computer to mine when you press “Send” is something that the average computer user not only doesn’t understand, but has no reason to understand.

Anyone who has access to the network, network equipment, mail servers, or PCs across which your email travels could potentially read your mail.

As a result, sometimes threats that should be of concern are overlooked and issues that are really no threat at all prevent people from using the technology to its fullest – or perhaps cause them to avoid it all together.

What is possible

It is possible to sniff and eavesdrop on email conversations.

It’s also not particularly easy, unless you’re on an open WiFi connection.

By default, the contents of email is not encrypted or obscured in any way. As it travels from your computer to your mail server to my mail server and finally to my PC, it’s stored in formats that are easily read by anyone who has access and cares to do so.

Let’s examine those two criteria in more detail.

Who has access to your email

Someone's Peeking! Anyone who has access to the network, network equipment, mail servers, or PCs across which your email travels could potentially read your mail. So just who are those people?

  • Anyone with access to your machine has several ways that they could examine your email conversations – from installing spyware of some sort to copying your mail folders to their remote location to simply opening up your mail program and reading your mail.
  • Malware is really a special case of someone having access to your machine. The concerns behind malicious compromise of your machine is that malware can gain access to more than just email. Even the act of simply typing your message could be recorded and examined if malware is present.
  • Other machines on your network may be able to see your email as it’s transmitted between your machine and your mail server when you send or receive. I say “may” because it depends on exactly how your network is configured. The most obvious case is an open (unencrypted) WiFi hotspot where any machine connected to the hotspot can see all of the data that’s being sent and received by the other machines on that same hotspot.
  • Your ISP can examine all of the data that you send and receive on the internet simply as a side effect of providing your connection to the internet.
  • Your email provider can examine your email simply as a side effect of providing your email service. Included in this would be your email provider’s own networking and hosting providers as well.
  • Your recipient’s email provider just like yours.
  • Your recipient’s ISP once again, just as your ISP can see everything you to, your recipient’s ISP can see everything they do.
  • Other machines on your recipient’s network have the same issues as the security and configuration of your own.
  • Malware on your recipient’s machine puts your conversation at risk just as much as if it were on your machine.
  • Anyone with access to your recipient’s machine naturally can do whatever the recipient could, and thus could read, copy, or otherwise access your email conversation.

This seems like a long list of entry points – points at which your email could be exposed to prying eyes.

Why you needn’t panic

When most people see the list above, they immediately focus on the items outside of their control.

I get constant comments that either imply or flat out accuse email providers and ISPs of maliciously reading email that they have no business reading.

In my opinion, that’s unwarranted paranoia speaking. These businesses are too busy to have the resources to do so, and too competitive with each other to allow something like that to happen in any systematic or organized way that might some day become public knowledge.

That’s not to say that there aren’t incidents of breaches from time to time – and formerly trusted employees have been fired or even jailed as a result. What I am saying is that these are the exceptions rather than the rule.

Nope, the real risk (if there is to be any) is at the points that you do control.

If there’s risk, it’s at the endpoints

I honestly believe that if there is going to be risk, the greatest risk to email privacy is at the sending and receiving endpoints.

In other words, the actions of malware on your machine, or someone walking up to it and poking around, or your own actions misdirecting an email message present a much greater risk than anything that might happen once the message is in transit.

As a result, the most important thing that you can do to secure your email is to secure your computer and your own practices in dealing with your computer and the internet.

If there’s risk, that is.

You’re just not that interesting

I hate to break it to you, but by and large, you and I … well, we’re just not that interesting.

Even if people had an opportunity to read our email, they probably wouldn’t. in all likelihood, 99% of all email is incredibly boring unless you’re the sender or the intended recipient.

Even so-called “confidential” information isn’t shared much via email – simply avoid emailing things like social security numbers, passwords, credit card numbers, and the like, and you’ll be 99% protected right there. Heck, by now, it should be common knowledge that any email that asks you to reply in email with information that includes your password is almost certainly a phishing attempt. Sending that kind of information via email is simply a bad idea.

So don’t do it.

Everything else that you do in email is probably pretty boring stuff – I know mine is.

But what if you are interesting?

Your question included two very important words that might make things more … interesting: “business” and “sensitive information”.

Email privacy does start to make sense if you have legitimate reason to be concerned that your email might be intercepted, and/or if the cost of such an interception is unacceptably high.

So the first question that you need to ask yourself is, “Am I really a target?” Most people are not. Most business are not. Many might think they are, but in reality, no one cares. On the other hand, if you’re communicating on sensitive things that you know are the focus of possible industrial, political, or personal espionage then yes, you might have a legitimate concern.

The next question is, “What’s the downside of someone else seeing this?” Again, in most cases, the cost is negligible … a little embarrassment at most. If, on the other hand, that communication landing in the wrong hands could cause serious damage, then it’s also time to consider approaches.

And as a business, if there are legal ramifications to information leakage, or actual laws requiring a heightened level of privacy and security, then whether actually warranted or not, you may be required to take additional steps.

Then you have exactly two options:

  • Avoid email altogether
  • Encrypt

Alternatives to email

The most important aspect of an email alternative is that you control or understand the entire path that your sensitive information might take on its way from point A to point B.

My online brokerage is a good example. They do not email statements, but rather, they use email to notify me that a statement is available. I can then login securely to my account on their website and download my sensitive information.

Not only is the path a direct one – from their server to my PC – but it’s encrypted via https, so that even someone at my ISP who’s watching the data stream would be unable to decipher its contents.

They control their server, I control my PC, and the path between the two is obscured from any third-party prying eyes.

You could set up access-controlled shares on your company’s network or servers, or even go so far as to write a custom application that requires not only additional security to access the data, but could impose a higher level of obfuscation on the data as it traverses the internet.

Just make sure you have someone who is a security professional doing the work – security is easy to think that you got right when in fact, you did not.


The most practical solution for most people, which you are trying to advocate for, is simply encrypting your data before it’s emailed.

The problem here is that encryption schemes for email are generally not as inter-operable as we’d like. If you can standardize on a solution that works for all of your senders and recipients, then your email problem is mostly solved. While some solutions are free, often they involve third-party software and periodic fees.

If you’re doing it on your own, and your correspondents may be running a different email client or perhaps even a different operating system, things get more difficult. Personally, I’ve not found a good solution that integrates well with various email clients. My approach instead is to send encrypted attachments. By that, I mean:

  • I write my message using a plain text editor or word processor and save it to disk
  • I use a tool to encrypt that file. Candidates are 7-zip (using ZIP format), AxCrypt, PGP/GPG and Truecrypt, although there may be other viable alternatives as well. ZIP files are perhaps the most easily interchanged, and current implementations privide good encryption.
  • I send the encrypted file as an attachment to my recipient.
  • I also send to the recipient – through a different channel – the password or whatever other information he will need to decrypt the file.

It is somewhat cumbersome, but if you can agree on an encryption tool, it works in almost all environments, and with any email client that can send  an attachment.

You’ll notice that encryption is a cornerstone of even the non-email solutions.


If all this sounds like I’m skeptical … it’s because I am. In my opinion, most people who think they are targets are, in fact, not.

But what if you really are? If electronic communication is a necessity, then encryption, good encryption, is a must. Things can be a little more complex than we’d like, but if it’s important then you simply cannot ignore it.

It’s one more reason why truly secure information is often best handled in phone calls or in person meetings, rather than email.

A special note: open Wifi hotspots

The one place where the average person may well be at much more risk than they realize – is in open WiFi hotspots. It’s fairly easy for anyone there to “listen in” on the data flowing to and from your machine. There, you need to be encrypted one way or another. See How do I use an open WiFi hotspot safely? for the steps that you need to take if you use a public WiFi hotspot.

(This is an update to an article originally published November 13, 2005.)

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

42 comments on “Just How Secure Is Email, Anyway?”

  1. I disagree with the tone of this response. Comparing email to online purchases is misleading. Almost all reputable online retailers will use encrypted HTTP to perform transactions over the web (usually your browser will notify you of this by displaying a padlock or similar icon when browsing a secure page). On the other hand email by default, is transmitted as plain text. Like most data on the internet it also passes through many networks and servers on the way from source to destination. It would be trivial for any one of these intermederies to automatically take a copy of all emails that contained credit card numbers. The fact that 99% of emails are boring is meaningless to a program searching for key words. As such I would advise your readers to always think before sending sensitive or financial information via email and follow your practice of encrypted attachments when required.

  2. There are email services available that use encrypted links by default. A list of providers and further discussion can be found at While it is true, few people are targeted, I suspect the environment is becoming more hostile for the average Joe.

    Hash: SHA1

    I don’t think so.


    Version: GnuPG v1.4.7 (MingW32)


  4. With all the hype now a days with hackers and systems being sabotaged and or comprimised i too was concerned with my companies safety and security when it comes to email information going over the airwaves. I did a lot of research into getting our own system and i found out pretty quickly that it can get very expensive and up into the 40-50k range to secure your emails with different sofisticated systems out there.Well i did my job and did more research i found a company that specializes in this market and saved thousands of dollars. the company is called and we now have a pretty sofisticated system in place through them, using desktop PGP and we are also using the blackberry devices through them as well equipped with PGP.Its a pay as you go service and it includes unlimited world wide roaming/24-7 tech support/the blackberry device of your choice and best of all they customized the plans according to our own specific needs.
    if you need security go and check them out you will save tons of money.

  5. Yes, solutions can be expensive, but what is the cost when one of your associates in human resources sends your 15,000 employees’ SSN’s to the wrong address and it gets picked up by the media? Hosted off-site solution work, but add more critical components that must be safeguarded. If the hosting company has a leak, your customers still ascribe the blame to you.

    Consider options surround the choice to encrypt and whether to use a hosted solution very cautiously.

    Strategic Data Management

  6. Are there any firm, researched statistics about this? To be meaningful, if would have to include incidents of hacking (say) per million, sub-divided by method of hacking.

  7. E-mail is easy to intercept even on wired networks. Ever hear of ARP Cache Poisoning, DNS spoofing, or ICMP redirect attacks?

    All of the above can be used to intercept any type of unencrypted communication on a wired network.

    Even if you trust people on your network, a compromised server on the recipients mail server network could be used to intercept email.

    Being paranoid about sending private data via email is a *good* thing and is not just for the people who wear tin foil hats.

    There are many attacks other than sniffing too.

    Do you trust that your recipient has a secure password on their email account, or that their computer is virus free?

    Twitter learned this one the hard way, see:

    Sorry Leo, but you are dead wrong. I’d strongly recommend that you retract this article. It is really dangerous to tell people that it is O.K. to send private data via e-mail.

  8. I agree with the others. the author has only considered one par of what constitutes a “risk”. In this case the liklihood of it happening.

    What he has not considered are the implications or severity of it happening. Brushing it aside under “Again, in most cases the cost is negligible … a little embarrassment at most.”

    “My business requires the emailing of some sensitive information on a regular basis. “

    This isn’t embarassment. It can lead to failed business, court cases, good knows what else. Anybody not implementing a simple email encryption procedure in these circumstances probably deserves everything they get.

  9. It is true the most users or companies will net get attack, however, you’ll will not know when you are being attacked. Therefore, it is necessary to encrypt your sensitive data when sending email to outside of your organization (external parties). It is dangerous to say that post an article as such, because if you have an individual or acompany email messages got sniffed you became 100% vulnerable and therefore its too late for you and your data.

  10. I agree with the other responders here. Indeed you need to worry about the privacy and security of your email communications. All you need to do is turn on the television or read a newspaper to hear of yet another ISP or Email Provider being hacked. Most of these hackers haunt the social media with relentless patience until they find that person who things that online security efforts are for the paranoid. Please check out for an easy and low cost solution to your online identity, the prices range from free to just 9.95 and as a bonus, your storage and attachment sizes exceed the common email carriers by far.

  11. E-mails are able to be intercepted – period.
    Tools are available and have been since mid 2009.
    A study was released in early 2009 that showed that the average age of hackers “targeting” small mortgage brokers is 14.
    The chances of 95% of the e-mails sent have no intrinsic value to anyone but the sender and receiver.
    The reality is that the vast majority of the intercepted e-mails fall into two buckets.
    1- the e-mails that are never identified as being intercepted. How do you really know?
    2- incidents of e-mails that were compromised and were identified, but never officially reported as being intercepted.
    But those who send Highly Regulated Content (HRC) over the open public internet need to take appropriate steps to protect that data as there are potential legal/financial/regulatory consequences in the event of a breach.
    Specific language is now in some business liability insurance policies that exclude any coverage for any electronic transmissions (e-mails).
    There are cost effective solutions out there that transfer the risks associated with a breach of data in “the cloud”. Just need to do some digging

  12. I learned the hard way that email is easily intercepted. My BF had issues with someone accessing his hotmail account and sending emails to family members. He asked a friend at a government agency to see if he could track down the person. In the midst of trying to find this person he looked at all the email addresses in my BF’s inbox. He dug up an email which put me in a very awkward position with my BF (no I wasn’t cheating). There is no other way he could have found this information out. He did this without breaking the law and without requiring a warrant. I’m waiting to hear from an expert in this field because I want to make sure nothing like this ever happens again. All that to say if you put it out there and it’s not encrypted it can come back and bite you in the backside.

  13. hello! – for the reasons described in the article above we have decided to launch opolis secure mail: – we thought that (i) there must be point-to-point encryption; and (ii) the sender must be in a position to decide what the recipient of a mail is allowed to do with it (eg forwarding, copying, printing). the service is for free. – also if you have any feedback, we appreciate this! – thanks!

  14. Internal email systems are often compromised by their administrators who find it easy and tempting to look at communication between their managers. There’s also the risks of misdirection, and the inability to revoke messages if you make a mistake.

    I sell to lots of government and legal clients, often people who have found out the risks of using email the hard way.

  15. I can only recommend to test Opolis Secure Mail. – The sender decides what the recipient is allowed to do with a sent message. For example a mail cannot be forwarded or printed without permission. And the sender can constantly monitor sent messages. Finally, all emails are fully encrypted …. – and all for free! What else can one wish?

  16. I can tell you with absolute certainty that Gmail is NOT secure. There is a certain woman who wishes to destroy my life and lets me know, each time I change email address, that she knows I did so, courtesy of her links to the female mafia within the spyops part of UK plc. She then gets her friends to claim they’d like a drink hence asking for my email address, they don’t contact, but miraculously, a few months later, an email appears when I go to stay somewhere else – just ‘saying hi. I could list numerous more, but it would be just this and that different…….

    It’s endemic in business, trust me. You type anything on your PERSONAL PC at home and certain execs know about it, despite you not being connected to the internet. Trust me, you test it in ways that are truly humiliating……thing is, the UK media mafia are at it too………..

  17. It’s excellent to see that this issue is getting increased visibility. Many comments are dead on about the extreme vulnerabilities of traditional email. The reality is you don’t need to protect/encrypt all email, but you know that when it comes to sensitive information, you have to have something in place. It’s easier than you may think to do this. Check out

  18. Leo, I was quite interested in the responses to your post, there are some paranoid nutters out there. I agree with you, intercepting emails is incredibly difficult. If you think otherwise please send me an application were I can type in an arbitrary email address and receive copies of the emails going to that address.

  19. I was asked to send an email to a person for a friend. Then I sent another email to the friend saying that I had sent the email to this person as requested. Within the hour I received an email from this person along with a copy of the message I sent to my friend. What happened and how can I protect my email from being seen by this person?

  20. “Leo, I was quite interested in the responses to your post, there are some paranoid nutters out there. I agree with you, intercepting emails is incredibly difficult. If you think otherwise please send me an application were I can type in an arbitrary email address and receive copies of the emails going to that address.

    Posted by: Fred Habuckle at October 4, 2010 5:49 AM”

    Fred – are you serious? It is clear to me you don’t know very much about the field of networks, IP packet transfer, or data security in IT. Magical ‘applications’ like that do not exist, applications are constructed of layers of architecture that extends beyond the GUI.

    Just because sniffing personal/business emails isn’t as simple as entering text in an application and waiting for the reply, doesn’t mean it’s ‘incredibly difficult.’

    But, having studied IT and worked in the industry for a few years now, I’ve almost given up trying to educate the end user of this. Until I see comments like Fred’s and articles like Leo.

    Leo – your article is misleading and above all ignorant. Sending emails is NOTHING like online transactions, which use HTTP/s, in-house or OOTB e-commerce security, MD5-or-other encryption. Email, largely unencrypted has none of this. A little embarrassment? Try … loss of business, reputation, personal life impacting on getting a future job or keeping our current one, ex-girlfriends/boyfriends being able to find where we are – anything…

    I could explain more about how an email is constructed, packets and how they are stolen and rerouted but as far as it goes – I’ll make this analagy, it’s as simple as intercepting a courier carrying an envelope, yanking it off him and then opening said envelope.

    • When I read things from the internet, I always check where the message comes from. Leo is a former Microsoft programmer. I understand his position. When you look at his other posts, there’s another article about “ads following users” you might want to disagree with.

  21. Not sure, but I think it’s called “pgp” — hard to listen to an “expert” if he doesn’t know the right acronyms.

    GPG is the free/open source alterantive to PGP.

  22. Leo, you are right about making the process simple and recently there are more services popping up that allow confidential communication between senders and recipients, some of which have been suggested already.

    I think the key to this is for the sender to be able to differentiate between whether an email is confidential and needs to be sent via a secure email service or whether you can send it via standard email with a small amount of inconvenience. I believe in both cases the service should be able to use standard email as a transport mechanism. is such a service but it is designed for business.

  23. A couple of points and a recommendation:

    1. Depending on your industry, encrypting e.mail may be required by a state or federal regulator.

    2. If you’re doing business in Massachusetts, or doing business with clients/customers in Massachusetts 201 CMR 17 requires confidential information (as defined by the act) to be encrypted if sent by e.mail.

    I recommend Ziptr (see I’ve been using it since it was in private beta and it just works – simply and easily! If you can use e.mail, you can use Ziptr. And it is free for individuals. They recently released Ziptr Biz with some nice compliance features for business users, too. Check it out!

    Good luck!

  24. I know that my email can be read by somebody along the line but I don’t care. I hope they enjoy the jokes. If it’s really that private don’t send it unless you have protection.

  25. Encrypting a message at one end and decrypting at the other doesn’t really take that much time and effort.
    You can change the encryption key through snail mail, which I think is pretty secure. You can even encode the snail mail if the Illuminatti is watching you.

  26. I always regard e-mail as “private” as a postcard.

    Telephone calls ditto. Particularly where one is a mobile.

    Sometimes I have sent, say, a password, but in such a case I send it in two parts, un-announced, and then send a third saying, “I have sent you the password by e-mail – the first part is in my second e-mail, the second part is in the first e-mail”. An eaves-dropper would not be likely to keep either of the first two, and a “spybot” would miss them both – particularly where I give a number in text, say 4483, as “forty four, eighty three” or “double four, eighty three”.

  27. Re Safety Or Not With E:mails~For Last Two Weeks My Long Time Reliable IncrediMail HYas Become All But Totally Dysfunctional In That The Moment I “Click Upon Fresh E:mails Within The Inbox I Am Presented With aq Dialog Asking >Do You Want To >OPEN or SAVE or CANCEL & Then If Select OPEN It Races Off To Mozilla Firefox Web Browzer & Sometimes Opens BUT Cannot Be Forwarded ???

  28. Friends were told that, despite their full contact list being hacked, their risk was minor to insignificant.
    I suggest they run Malwarebytes, Trend Micro HouseCall, Kaspersky Free or at least 2 of whatever they are not using. One does banking and other financial work on web – their bank and ISP said don’t worry – I’d worry – who’s right if there is such a thing?I’m already a subscriber of I’d get your book. I read the article = twice!

  29. Leo, I did read the article – twice. An employer has forged e-mails and e-mail contents – is there a way to prove they have been forged? I am certain they don’t encrypt. They have also said other e-mails proving that they have broken the law have been deleted and therefore cannot be supplied in a data subject access request. The corruption is widespread in the company. I am reporting them to the ICO, but can they do anything to the ghost copies on the main server? Will it show that they have deleted the ghost-copies? Going forward, is it possible to encrypt e-mail messages in, or do I need to change my e-mail provider to one that will allow encryption? Is it possible to encrypt messages at a job, without the employer’s permission?

  30. @LMac
    I can’t answer the questions you ask, because I don’t know anything about the legalities of what you’re asking, but as to your question about encrypting messages on your work computer, I wouldn’t type anything on a work computer that I wouldn’t mind my employers reading. They have the capability of monitoring every keystroke you type on their computer. Knowing this is possible, I’d behave as if they were watching.

  31. Leo
    Your archive is huge and includes many items from obsolete or obsolescent operating systems such as Win98 and Win XP.
    Could you install some kind of filter, so that our trawl is reduced ?
    Warren Crawford

  32. The section titled ‘You’re just not that interesting’
    Any plans on changing/updating this in light of the Snowden leaks??

  33. Leo,

    I decided, making copies first for safety’s sake to test AxCrypt. I did this with one hundred relatively short MS Word documents. First I encrypted them and then I “tried to decrypt them”. 87 passed with flying colors. Thirteen returned gobbledygook. As I stated at the start of this comment I first made duplicates of the hundred documents, copying them onto two flash drives (they have been known to fail although in this case they ddn’t) and then deleting everything that was returned by AxCrypt and copying back the files from the flash drive and then using a cute little program I have which compared that to the files on the other flash drive and all was well. At the time AxCrypt was the most highly rated file encryption program on the Windows 7 forum. I sent them a note. Before you recommend AxCrypt you might want to check it out yourself. I will never trust it.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.