How To Secure Your Email: Email Security Tips & Best Practices
Cyber Security Wiki Navigation:
- Cyber Security Wiki Home
- How To Secure Your Passwords
- How To Secure Your Email
- Browser Security
- Desktop & Laptop Operating System (OS) Security & Privacy
- Smartphone Security & Privacy
- Firewall Security Setup, Settings, & Guides
At this time, email should be considered completely broken and insecure. It is very easy to intercept emails in a browser or as they transit the internet, and current standardized methods to protect user information neglect metadata, which is all sent in the clear. This means an interloper can see the time of the email being sent, the destination, and even the subject header of a StartTLS encrypted email. This also ignores that if either the sender or the recipient of the email does not use a service that supports StartTLS, it silently fails and sends the email in the clear with no data protection.
Let’s start at the beginning.
Unencrypted (plain) data is easy to capture and read for a sophisticated attacker. When an email leaves your device and moves across a compromised network device on its way to its destination, it is captured, read and stored away. This practice is not limited to the NSA. It is done by agencies all over the world and even on computers on corporate networks. In practice, it could even be captured out of the air by an attacker if you are using unsecured wifi in combination with unencrypted email.
In response to this problem, email providers have begun to support encryption for email via either SSL or StartTLS. This encryption is generally done silently and is transparent to the user. If both the sender and recipients emails support encryption, it is applied. The problem is if either party does not support encryption, it is often not secured and sent anyway. This problem is made even worse by a vulnerability to man-in-the-middle attacks. A person with a position on the network between the sender and recipient can simply intercept and destroy the request to use encryption, allowing the email to be sent unsecured, and not notifying either user that the encryption failed.
There is also the problem of “who holds the keys” for email encryption. In the case of webmail services the data is protected by keys that are generated by Google, Yahoo, Facebook et al. You are beholden to these companies to be protecting your data properly and not compromising any of your keys on behalf of some other party.
The solution here is to not rely on SSL or SmartTLS to protect your data.
Pretty Good Privacy (PGP) encryption allows users to have end-to-end protection of their data because the keys are generated on your device and the recipient's device, and then used to exchange the data through whatever medium you are using. This makes it impossible for an interloper (even your email provider) to read the contents of the message. You can use PGP for any document type. It is not exclusive to email.
The drawback to PGP is that it is very user unfriendly. The most popular application, Gnu Privacy Guard (GPG) is hard to use and confusing to anyone who is not well versed in cryptography (almost everyone).
The good news is that there are projects that are trying to combat the problem of usability. The Mailvelope Plugin for Chrome and Firefox has an easier to use interface and integrates directly with webmail sites like Gmail, Yahoo, Outlook (webmail version), and has support to integrate with other sites with some extra configuration.
Beyond secure messaging, it is important to think about what to do with all of the insecure messages that you receive daily. It is almost impossible to identify the identity behind an email for a non-savvy user, so the best method to protect yourself is to trust no one.
Below are a few methods that attackers use to try to steal personal information from you.
This involves sending you an email that looks like a genuine message, but is in fact a fake message that tries to compel you to visit a fake site or enter sensitive information.
You will receive a message that appear to be from your bank, an ecommerce website, or a payment service like Paypal and it will say something that requires you to respond. It will be a message saying that “your item didn’t ship” or “your order was cancelled” or even “your account has been compromised”. It will then offer you a link to a solution of some kind. This link takes you to a fake website that is specifically designed to look exactly like the website that you expect. It then will try to get you to enter your information, which will then be used for fraud.
Always be suspicious. If your bank sends you an email containing links, do not click on the links in the email. Instead, open your web browser or a new tab and go to the website manually. This will prevent any sort of attack involving directing you to a fake site via a bad link. You should also be suspicious if the site you are currently visiting is not a secure site. Look for https at the beginning of the URL in your address bar. If you see http, then the site is not verified by your browser to be genuine.
If you receive an email that is suspicious, but you believe that it could be genuine, contact the support staff for that service directly. Do not reply to the email as a fake email would also have fake support to contact. Go to the website manually and contact the support staff, they will tell you if the email is genuine or not. Some services even allow you to forward suspicious emails to their staff, where they evaluate it and tell you if it is genuine. For example, Paypal asks that users forward suspicious emails to firstname.lastname@example.org so that their staff can examine it.