Email was invented in the 1970s and since has become an integral part of our lives, for both personal use and at work. It was built as an open communication tool and not designed with security and privacy as a top priority – so while this helped lead to email’s wide adoption and flexibility, it also opened the door to many of the issues we deal with today, like spam, spoofing, phishing and unintentional sharing of sensitive information.

Though secure messaging services like Slack, Microsoft Teams and Discord are increasing in adoption and useful for internal team messaging, email’s ubiquitous nature means it’s unlikely to be replaced by other means of communication en masse. Sending sensitive content over email, like login credentials, financial data, or internal documents can be problematic, so let’s look at the best ways to share these types of information.

The Problem with Email

Email’s open nature means it’s relatively easy for an unencrypted message to be intercepted and read by a third-party, or to be forwarded to someone else. While you might not be aware of instances when your email has been intercepted and read surreptitiously, perhaps while connecting to an insecure Wi-Fi hotspot at an airport or cafe, you’ve certainly experienced a case when someone forwarded a long internal email thread and unintentionally shared private conversations with someone who should not have received it.

Unfortunately, these situations happen frequently because it’s simply too easy to forward and share email with anyone. Hopefully in these cases what was shared was harmless or irrelevant, but many times it can be embarrassing or a cause of concern from a security perspective.

Consider Your Email as Public Information

First, have awareness that what you write in an email can be easily shared outside your intended audience. If it would be embarrassing to end up in the wrong inbox, consider if you should send the message at all, or if there’s an alternative method of communication better suited to the situation. Even though your email may only ever be seen by the recipient, having the frame of mind that email messages are inherently insecure can prevent you from making embarrassing or costly mistakes. Remember, for regular email there is no undo button, so once it’s sent, that message is out there in the world.

How to Share Sensitive Content and Files

First, when you do need to share sensitive content, do not send it directly in the body of a regular email message or as an attachment. Depending on what you’re sharing, use one of the options below to secure your message. 

Sharing Text

There are several options to secure textual information, like login credentials or sensitive messages, depending on your email provider and client.

If your email provider supports it, consider using built-in email encryption tools. Open-source tools like OpenPGP have existing for many years, but with direct support in services like Microsoft Office 365 and Google Gmail, it is easier and more accessible than ever to use email encryption. These tools ensure only your intended recipient has access to the message and gives you additional controls to revoke access after sending. For those in a particularly sensitive industries regularly dealing with personally identifiable information, like health care, banking or insurance, there are additional services that can be layered on top to enforce compliance requirements.

If email encryption is not available to you, consider sending a link to a secure message on a service like One Time Secret, which allows a message to be viewed only once, and after that is automatically deleted. You can also set the message to automatically expire after a certain amount of time.

For information like login credentials, we recommend splitting the message in two halves, e.g., send the username via email, but the password via an alternative method like iMessage, WhatsApp or other secure messaging app with built-in end-to-end encryption. By splitting the message, you decrease the chance that nefarious entities can retrieve both the username and password, thus gaining unauthorized access to that service.

You can also place this information in a text file or Word document, and then share that file via one of the services discussed in the following section.

Sharing Files

For files, consider sharing a link to the file through a file-sharing service like Dropbox, OneDrive, Box or WeTransfer. All these services allow you to share links to files, and then optionally set restrictions on their access, either with passwords, expiration dates, or by manually disabling the link. This means you retain control of access to the file even after the email is sent.

Sharing Many Files / Ongoing Collaboration

For sharing large numbers of files or in longer term collaborations when you’ll be sharing files frequently, consider setting up a shared folder in a file-sharing service, with all parties having a username and password for access. This has the benefits of keeping everyone in sync (you don’t have to worry about which version of a file someone was emailed), keeping the files secure, and reducing the amount of storage space used in your email account. These shared folders can either be accessed through a web browser, or through a synced folder on your computer if you install the service’s file syncing tool.

Here at Lieberman Technologies, we create an account in our own secure file-system for each client, which works similarly to the public file-sharing services, but with additional access restriction tools like automatic time-based account expiration and upload and download notifications.

In Summary

Like it or not, email isn’t going anywhere. Accidental forwards, sending to the wrong recipient, and bad guys doing bad guys things will continue to happen – but through some additional awareness, use of built-in encryption tools and secure third-party  services, we can take control of our use of email and prevent our sensitive information from being unintentionally exposed. If you have any additional questions about how to send information securely over email, or need help to implement secure email services at your business, we would be happy to talk with you.