We all use Email on our daily basis, But are we sure enough that the Email we are using is safe and secure method of data transfer and communication?, Let’s have a look at some of the major Reasons Why Email is Not Secure and how we can secure them.
- A Bit about Email & it’s History
- How Email Encryption Works & why it’s not Secure
- So Why Email is not Secure?
- Let’s understand How Email moves Around the Internet & why it’s not secure
- Why Email is Bad for Privacy?
- Reasons Why Email is Not Secure
- 1) Once send it’s Out of Control
- 2) Sudden Data Leaks
- 3) Ransomware Attack
- 4) Email Protocol Does not Support End to End Encryption
- 5) Phishing attack
- 6) Maybe your Device, Server & Network is not secure
- 7) Maybe Receivers Device, Server & Device is not secure
- 8) We don’t know that Saved Email/Archived Email is safe
- 9) Many Email Service Providers Don’t provide Encryption
- 10) Emails can be Un-Encrypted
- Steps to Secure an Email
A Bit about Email & it’s History
Who remembers the days before we used to use email in our businesses, I certainly don’t but there was a time when people used to actually write things down and send letters to each other.
But today email has become such an important part of our business culture people use email all day long and for some people, that inbox is actually their to-do list.
We communicate with customers partners and team members using the trusty old email system, and there are some people who actually prefer to send an email than speak to people in person.
But have you ever stopped and wondered if the email you’re actually sending is secure, or not? can anyone access your email without your permission?, Let’s see how it works.
When Ray Tomlinson invented email in the 1970’s he didn’t do it with security or privacy in mind, it’s just a concept to send some set of data over the internet.
and it’s true that email security has moved on since the 1970s, but still, it is not a secure method of communication to date.
Before getting into that Let’s understand How Email Encryption works.
How Email Encryption Works & why it’s not Secure
Email Encryption is the masking of message content until the message is received by the intended recipient with the goal of protecting the information contained from inadvertent interception.
Email Encryption generally works through public-key cryptography a user will establish a public key and will receive messages and decode them with their own personal private key.
A private key can also be used to digitally sign a message to ensure it’s coming from the appropriate sender.
Any sort of information that’s deemed private should be encrypted that includes NPPI Non-Public Personal Information or Protected Health Information PHI, failure to encrypt this information, and if it’s intercepted and unencrypted could result in serious legal fines.
Email Encryption protects from fraud man-in-the-middle attacks and social engineering.
The idea behind this is that if an encrypted email is intercepted it’s not as detrimental to the organization as if it were unencrypted.
There are many companies that provide email encryption solutions, which can actually be used as an add-in for your Microsoft Outlook or any sort of mail client.
The way they work is you type secure into your subject line to send a secure email or in a lot of cases, they’ll have an encryption send button which you can click.
So Why Email is not Secure?
Why email is so bad for privacy is it’s one of the oldest protocols on the internet and it’s definitely the one except for you know websites that has the highest level of adoption.
let’s take an example, When you send an email it’s a little bit like posting a letter, you write the letter you’ll put someone’s address on it and you’ll post it.
But you are relying on other people in between to deliver that letter for you you hope that that letter ends up in the right place with the right person and that nobody reads it along the way.
But unfortunately, you can’t be certain yet businesses of all sizes are still using email to communicate passwords, credit card information, and all the bits of really important personal information that are valuable to you.
A bit of a fun fact for you did you know that sending a fax is actually more secure than sending an email.
Let’s understand How Email moves Around the Internet & why it’s not secure
From a technical point of view to be Exact Email is transferred from the sender to the Email Service Provider (Server) and from that to the Reciever after passing through spam and antivirus filters, but is that really a Secure way to send an Email, Let’s see how it works.
So let’s say that I am gonna send an email to you all, so first I’m gonna get on my device or my computer and I’m gonna post an email and then I’m gonna send it to my mail servers.
Now my connection from my device to my mail server, are chances that it might be secure or it might be not, but if it’s not secure then as I thought it moves from my device to my mail server as expected.
And therefore it’s not protected, well it’s in motion, we can say that this data is in motion that is not being protected.
So my message gets to my mail server, so my mail server has to store it somehow before it sends it out to the receiver or client or someone else I want to send it to.
Since this is a small process but,
Let’s consider maybe there’s spam scanning going on your email or antivirus scanning going on your personal and private messages, in some or other way it should be stored somewhere in some way hopefully that storage on that server is secure, but still, we are unsure of that.
So we’re talking about Data-at-Rest is it protected? well you don’t really know, probably your email provider is trustworthy but you don’t may know 100% for sure if they are or not but,
Let’s say that you know the process of sending my email from my device to my mail server.
let’s just say it is secure and that my ISP (Internet Service Provider) has a secure mail server and that’s all cool all right?
Now my message has to go from my mail server to your mail server and how is it going to do that it’s going to use something called The Simple Mail Transfer Protocol SMTP and that protocol by default is not encrypted, yes you heard it right, it’s not encrypted at all neither it supports any sort of Encryption for the safe transfer of Email.
that simply means anything in my message is going to be transmitted over the Internet potentially through different servers different networks and it’s all going to be in the clear meaning that is simple text.
if somebody wants to sit and listen and look at that traffic it’s not encrypted it’s not protected they can look at it in any way and you say well.
but who would do that? well, remember big government agencies like the NSA camped out in front of Google and sucked up all their data.
so if you had Gmail you know they might have sucked up this information and get shared among all the major countries the five eyes.
so you can be assured that if it’s been picked up in one country or by one country’s Intelligence Agency probably being shared by all of them but that’s maybe a different story anyways.
The point I’m trying to make is that as your mail moves from one mail server to the other mail server it’s not protected there’s a small chance it could be but most likely it’s not.
okay, my message is now at your mail server, so now you have to get that message, so just like it was when I sent my message you have to connect your mail server and download my message or view my message and I hope that you’re doing that securely or maybe you’re not, it’s not your fault but there are many third-party factors that can spy on your system as well.
I wouldn’t know, how would I know what you’re doing right it’s hard for me to say the other thing is that I’m assuming that the person I’ve sent the email to is the same person that’s looking at it.
are you the only person that looks at your mail or maybe somebody else looks at it maybe I’m sending an email where there are multiple people that can look in that mailbox?
Well, all those people have access to that message and they can again take copies forward, so that’s the reason Why Your Email is not Secure unless and until it’s encrypted.
Why Email is Bad for Privacy?
Why email is so bsd for privacy, the major reason is that it’s one of the oldest protocols on the internet and it’s definitely the one except for you know websites that has the highest level of adoption therefore is the hardest to change and a lot of people are trying to change the standards of email.
but truth be told I don’t think that that’s going to happen at least not in the near future so there’s two problems that are very significant with email number.
1) We cannot confirm people’s identity over Email
I’m sure you received an email more than once that says that your bank has a problem and you need to log in to update your contact information or perhaps you’re using a provider
I know I’m using SendGrid for some of my projects and I receive a whole bunch of scam emails from SendGrid saying that my account is about to be shut down and I need to add a credit card or renews you know a service those are called phishing attacks.
so people are essentially trying to get hold of your contacts yeah not your contacts or your credentials and then they can hijack the account that’s something that is solved in apps such as Signal.
So technically there’s no other way to check the identity of the other person sending the email to us, unless we know them personally.
So this is one of the major drawback of email that we cannot confirms people’s identity or sender’s identity over the internet.
2) Email protocol does not support end-to-end Encryption
What that means is when you’re sending an email to someone here’s what’s happening your computer is you know using your credentials true probably an encrypted channel to log on to your email provider.
and when you’re logged in well you can send emails through that email provider so far so good things are encrypted that being said as soon as the email is dispatched and it’s on the servers of your email provider.
Well it’s no longer encrypted at all it may be encrypted at rest meaning that your provider is encrypting the information on their hard drives but your provider or whoever your provider or partners of your provider well they all have access to that content in clear-text what we also called as un-encrypted format.
So that’s a huge problem because if you’re sending a message to someone well in the best of worlds only that person would be able to see it and that’s why we’re using Signal and stuff like that.
now email does not support that so why I’m saying all of this is well if you’re sending me an email that is sensitive or if you prefer not revealing to the whole world what the content of that email is well I would really recommend encrypting it using PGP.
So key takeaways here is email is not good you cannot confirm someone’s identity you cannot end to end encrypt a message your internet service provider.
If that’s your email provider they can see your emails Google can see your emails and if you’re using a service such as protonmail that pretends everything is encrypted blah blah blah they’re actually using open PGP.
well although they say this if someone is sending an email to you from Gmail well what Dave sent is on Gmail servers and is in clear text and now although even though at your end things might be encrypted.
But when they answer back to you that answer is on Gmail servers unencrypted therefore email is really for privacy because the only way email can kind of work is if for instance you’re using something such as Protonmail.
Reasons Why Email is Not Secure
Email is considered to be one of the most important modes of Professional & Private methods of Communication over the internet.
Many businesses rely on Email and Email providers for their Data Security but are we sure enough to totally rely on Email and its security protocols by the Email service provider?
With the introduction of GDPR nowadays any data breach could land your business with a hefty fine and greater losses for the company as well.
For that reason here I have created a list of Obvious Reasons that Why Email is Not Secure
1) Once send it’s Out of Control
“The Greatest Strength can turn into Greatest Weakness”, and it happened with Email as well, Email has the ability to send any sort of Data to anyone over the internet, at any time, just by entering the Email Address.
But this amazing ability has a drawback like if I send an email to my friend mosh, there’s is not any kind of record that my email will send to hundreds or thousands of people.
It simply means if my friend mosh decided to forward my personal/professional email to multiple people, how would I know?
There’s no tracking system for that, unless and until I encrypt the Email.
Once an Email has been sent, there’s no record of its sharing or leaking.
So it’s one of the major reasons why Email is not secure, just because of the uncontrolled spreading behavior of an Email.
2) Sudden Data Leaks
Sudden Data Leaks or Accidental Data Leaks are some of the major Reasons why Email is not secure.
Accidental Data Leaks are one of the reasons why email is not secure, take an example, you work in a company and accidently one of your employee sends some of the confidential email information to wrong email address.
Here comes the major drawback, once send then the email is irreversible, we cannot undo that thing, and this type of error also happens from your email service providers as well.
So from staying save from this type of problem is to just encrypt your email in the form of password protection or something else.
3) Ransomware Attack
Ransomware attacks are mostly done through pirated software or Emails, as we are not opening any unknown email, but sometimes there are high chances that we accidentally click on the links on that emails.
These spammy Emails are lying unknowingly in our inboxes, sometimes not you but one of the employee may click on that spammy email which leads to a Ransomware Attack on the company server.
4) Email Protocol Does not Support End to End Encryption
As Emails are not Encrypted, Thus Email Protocols like POP3, SMTP, and IMAP are not meant for Encryption, and due to which email protocols are not end-to-end encrypted.
5) Phishing attack
Phishing Attacks are more common in Emails, just like Ransomware it occupies somewhere in your inbox unknowingly, with an intention to steal your important, personal, and official data.
And they can sell or make a deal with you in exchange your precious data, the reason why Phishing attack is common in email because if anyone has your email they can directly send you email, not like other data sharing services, where verification requires, hence email is not a secure way of data transfer in the form of text, images, documents or something else.
6) Maybe your Device, Server & Network is not secure
It’s very common that your device is under the attack of any sort of virus, trojans, or worms, or maybe your server is not secure, or you might use common internet from some free internet provider there are high chances that they are spying on your activities.
So for preventing that you better install any antivirus software in your system and use secured internet service.
7) Maybe Receivers Device, Server & Device is not secure
This sort of problem is out of our reach, as we don’t know about the device information of our receiver, so there are high chances that our data might get leaked.
To avoid that we can take certain precautions with our receiver like password-protected Email, and much more solutions are given below.
8) We don’t know that Saved Email/Archived Email is safe
A Saved Email/Archived Email is always at a risk of data breaching, what we call in a general term as Data-at-Rest, this is a little serious drawback of email, as anyone can save the email in other formats and can circulate without your concern.
As they save that email or archive that email, is that data gonna be protected while it’s at rest. I don’t know and I am also not sure about that, do they encrypt it are they protecting it in some way.
How do they make sure that the information I’ve sent them in this email is not going to be lost or leaked from the email form that I sent, right? you can’t know right? you can’t be a hundred percent sure about that.
You know we’re all human people make mistakes systems are misconfigured sometimes you know things happen it’s hard to know.
so there you go your message could be transmitted in the clear and it could be intercepted and people could get it.
So you don’t want to send sensitive information over email now depending on what your risk appetite is maybe do you think that risk is pretty small and you’re not too worried about it.
9) Many Email Service Providers Don’t provide Encryption
We all use many different Email services like Gmail, Outlook, Yahoo mail, etc. But many of us don’t know that these companies have all our records of emails and their transactions, and there are high chances that they are spying on us as well.
That’s the reason why they don’t provide end-to-end Encryption, by providing end-to-end encryption only the sender and the receiver will have access to that email.
10) Emails can be Un-Encrypted
Most of the email we send over the internet is in unencrypted form in simple words we can also call as plain-text format, and if we encrypt it still there are high chances of that our service providers can decrypt our encrypted email, because we are relying on their service.
But there are less chances of Email un-encryption, but still we cannot ignore the possibilities of data leaking.
Let’s assume that maybe you’re sending an email to somebody on the same server for once, a mail user to another mail user maybe that’s fine, and probably in lots of cases it is.
But if you’re sending an email to someone that’s going to traverse the internet, you know you’re setting up to a Gmail account or a yahoo account or some other domain account that message could be moving across the internet in the clear and it could be un-encrypted and is that a risk you want to take maybe or maybe not.
So totally relying on other companies for Email data security is extremely dangerous.
Well there’s a couple of things you can do, as I said in the beginning email was never designed to be secure but there are some things that are bolted onto email that can help make it secure and here are some of thoes.
Steps to Secure an Email
I think the best way though to maintain your security is what I call is pre-internet encryption.
So that means before you put any information that sensitive on the internet you pre encrypt it before it goes over the internet.
And that way it’s just it’s safe and when it’s on the internet if someone gets the message doesn’t matter it’s encrypted they can’t decrypt it.
it a good example of this might be say I want to send some information to you and I want to make sure that it’s it’s secure as I send it.
Well maybe I’ll type it into a Word document I’ll see if that word document password protect, it in some way password protected. so it can’t be opened and then all you mail back to you and I’ll tell you or I’ll call you on the phone or I’ll send you a text message and say hey I have sended you a password protected document here’s the password for that.
As your email message moved across the internet you know the file is encrypted, so it’s secure and because I’m communicating the password to you in an out-of-band way that means not with the message that I sent or not over the same medium that I sent I’m calling you or like I said sending a text I can be reasonably sure that that information isn’t going to leak.
and when you get the message you’re the only one that really knows the password and you can go you can decrypt the message.
You do the same thing with a zip file right you could collect a bunch of documents into a zip file password protect that zip file.
2) Secured Device
Installing an Antivirus or Internet Security can greatly help in such type of situation, if your device is not secured then no matter how your email is encrypted your data will be never safe anymore.
Here are some of the top recommendations to protect your device from spying.
3) Encrypted Network Connection
Now that your device is secured, so what’s next, one of the major security concerns that no one talks about is your Internet security, weather your internet connection is secured or not, we don’t know if someone is spying or not.
So here are some of the recommendations for Email Security.
4) Use of Better Email Service Provider
In some or other way we all use an Email service provider like Gmail, Yahoo Mail, Outlook, etc.
But as we know his email service providers are not end-to-end encrypted, all our emails are in plain text format.
So is there any solution for this?, yes you can use ProtonMail.
5) Password Protection
It basically works same as that of above Encryption method, in this method we are applying a password to the email, so that it’s impossible to access the content of the email by any third person against your will.
6) Installation of Spam & Antivirus Filters
From that above mentioned Antivirus, Total Security & Email Security Systems, all of them provide spam and Antivirus filters.
You can also use Free Spam Checker before opening or accessing email.
7) Avoid using Public Internet
Many of use public Wifi which is freely available, but according to studies nearly 78% of the free internet providers are majorly hackers, There are very little chances that the free internet you are using are safe to use.
Most of them are freely available for Phishing Attack, Ransomware Attack, and many more.
If you want to organize Multiple Email then have a look at “HOW TO ORGANIZE MULTIPLE EMAIL ACCOUNTS FOR SECURITY PURPOSE”
If you have more curiosity about Email Works, have a look at some of our finest recommendation.
Which is more Secure Email or FAX
It’s a matter of fact that we think Email is much secure, but sadly it’s not true, the fact is that “Fax is more Secure than Email” if you want to know why your email is not secure, have a look at our blog.
How can we make our Email Safe?
Since Email is not one of the most secure ways of communication over the internet, there’s one way of Securing your Email and that is through Encryption, it is a process of encrypting Email through Public Key and Private Key.
Is Simple Mail Transfer Protocol SMTP safe for Email Transfer?
No, Simple Mail Transfer Protocol (SMTP) is not secure at all, Because It’s Not Encrypted, and we know Encryption is the key to Security. Since SMTP is not secure we can say that Email is not Secure at all.