The practice of communicating through emails has become so institutionalised that it is hard to believe that this superbly ubiquitous form of messaging came into our lives only forty years ago! Online presence requires using an email address across most platforms in order to receive notifications, access social networking and mobile banking applications, or even to shop online. As a result, the all-pervasive use of email addresses often overrides its rudimentary functionality – i.e. messaging. This can cause some users to have multiple email accounts (1.75 on average).

 How often do you share your financial information, social security number, passport information or address in an email? Do you ever consider that your secure emails can be accessed by not just you and the recipient until it reaches the destination? Unfortunately, many people hugely overestimate the security of emails. With all the personal information you share via emails, it is possible to generate a duplicate digital identity that maybe worth more than you can imagine.

Man in-the-middle scam

On October 2017, Mr and Mrs Scott of Essex had lost £120,000 by sending money to a fraudster’s account that they thought was their family solicitor’s bank account. The solicitor’s email had been compromised and the hackers, while impersonating the solicitor online, had sent the wrong bank account details and pocketed the payment. Email communication has become so intrinsic to our day-to-day lives, it did not occur to the victims to cross reference the information on email with any other form of communication.

‘A single compromised email account ricochets across a huge number of services weaving through numerous aspects of daily and professional life.’

You’ve got (E)mail!

In March 2018, 3.8BN email accounts were live worldwide — with over 281 billion professional emails sent daily in 2018, which has been estimated to grow to more than 333 billion by 2022.

Statistics of worldwide email usage

A single compromised email account ricochets across a huge number of services weaving through numerous aspects of daily and professional life.

Pass the parcel – playing with confidential information    

While emails are essential in a professional environment, email security is a nebulous topic to most – who assume it is highly secure – and thus provides a conduit for cyberattacks. Users do not realise they are often playing ‘pass the parcel’ with their most confidential information. An email hops through multiple locations before it reaches its intended recipient.

How email works

Despite this convoluted circuit, email has been trusted as a primary communication tool for years. When questions are raised around email security, a provider such as Google responds that Gmail acts like a ‘postman’, delivering your information without snooping into it.

While trying to address privacy concerns of using Gmail, Google policy chief Susan Molinari famously said in 2018: “Developers may share data with third parties so long as they are transparent with the users about how they are using the data.” Molinari defended the practice, saying that its privacy policy is “easily accessible for users to review”. She adds that users must accept permissions before Google hands over data. Not a helpful or transparent proposition, when we are all guilty of the mindless acceptance of websites and apps’ terms and conditions.

Types of email security breaches

Through email communications, information is handled by the recipient’s electronic communications service provider and in the course of delivery, information embedded into the email is vulnerable, which is rarely known by the sender. The original connection may be secure, but other connections in the sequence are not guaranteed as such. Security breaches on email can happen at device, network or server level.

For your eyes only? Device-level security breaches

While it is convenient to believe that email security is the sole responsibility of the IT team, the reality is that email content can be leaked or end up in the public domain, even if it is not hacked. It is possible to download, print or screenshot sensitive information and share it with unauthorised parties. Printing an email containing confidential information and leaving it on their desk is one of an endless list of risky situations. The main culprits when it comes to email security breaches often are senior employees as they naturally have access to more sensitive information. While data breaches on a device can be due to human error, some sophisticated programs can access and read email data, even read and display attachments. Email snooping is the most common purpose of malware.

Let’s go phishing

Considering private investments, the sensitive nature of these deals together with the fact that secure financial information is sent over standard email to investors is a tempting lure for fraudsters to ‘go phishing’. Phishing is tricking email recipients into divulging credit card information, username, or passwords, typically carried out by legitimate-looking emails seemingly coming from trusted advisors or companies.

Phishing attacks

Beyond your control: network level security breaches

The network level breaches are more complicated and, worryingly, much more open to access from multiple locations. In a scenario where email is on a company-hosted server and the recipient’s server is also company-hosted, vulnerabilities appear at each points of entry to the servers: each of those connections involves a series of routers and switches most likely owned and operated by different organisations.

Opening Pandora’s Box: server level security breaches

Each email service provider stores your email on their own server. If your email password is compromised, fraudsters can login through your email provider webmail and read any email stored. Unencrypted emails are most at risk. Email services usually store messages as plain text, which makes it incredibly easy to read all emails and attachments once the server is hacked.

Walking the line

Email security is challenging to implement also because IT professionals are often under pressure by the business to deliver effective processes which importantly do not hinder the speed and efficiency of day-to-day revenue generation.   

In the financial services industry, where high-stake and highly sensitive information is often circulated via email, many would argue security measures adversely affect productivity. Encryption of different kinds – transport level, end-to-end – is commonplace, but it requires recipients to agree and cooperate with system requirements. It is applied to the most sensitive emails while more generic emails are not encrypted. Securing and encrypting emails requires an email encryption gateway and levels of automated checks.

Adhering to high privacy standards is challenging and expensive if email is to remain at the core of processes. While security is the overarching concern, other problems such as human error, information management overload and disconnected tools also affect the efficiency of email communication. In spite of popular practice, it is best not to share confidential information such as deal details by email. The lack of security in email communications is ushering a new standard in the private market. The responsibility of building or maintaining in-house technology solutions can often prove to be counterproductive for financial firms. As a result,the financial industry is slowly considering alternatives such as buying enterprise solutions such as cloud-based platforms in order to distribute information in a far more secure yet efficient manner.