Think Before You Send

The Hidden Dangers Lurking in the Emails you Send

“That would never happen to me,” you think, “I would never get scammed by an email.”

Somewhere between 75 and 95% of data security breaches (both personal and corporate) are still the product of some sort of human error. We often think of this as someone being lured into clicking on a bad link which contains some sort of malware or being talked into sharing sensitive information (like passwords or security codes) by a bad actor looking to steal your sensitive information. But this isn’t the only way to be scammed in your email inbox.

While we all need to remain vigilant about not being tempted to take the bait, you might be surprised to find out that you’re still engaging in risky behavior even if you aren’t clicking those bad links. The risky behavior we see much more pervasively in our clients, friends, and families often has a much less malicious origin – the convenience and complacency that comes with doing things the easiest way possible with the lowest amount of effort.

A common culprit of convenience-driven cyber security threats is when people share sensitive information or documents by email, or via email attachments. 

Almost all of the email errors we report and record each year for the business come from clients sending us secure or confidential information via email. People who would likely never get baited into a phishing scheme, do not seem to think twice about sending an unprotected tax return or account statement to us directly over email.

Is email a secure way to communicate?

It depends on your definition of security, and what you’re trying to protect.

While it’s true that most of the major email providers do have higher encryption standards than they did a few years ago, it’s also true that most email still runs through several potential points of vulnerability along its route to its intended recipient.

Think of this like sending a post card in the mail… without an envelope, there are multiple points along its route where, even if it doesn’t fall into the wrong hands, the people handling it will be able to read what you wrote to your sister about how fun your trip to Majorca was.

This means, you really shouldn’t include anything in your email that you’re not comfortable with people besides the intended recipient seeing.

Email is easy to pass around, and it’s rarely deleted.

Your email account (and the account of the person you’re sending an email to) might have already been infiltrated by bad actors, as many malware attacks on things like email can lie dormant and go undetected for days, if not months. If it hasn’t been infiltrated yet, there’s always the possibility that it could be infiltrated in the future.

Generally, while email security in transit has improved for many providers, once your email lands at its intended destination (or rests, for eternity in your sent mail box), there’s still potential for it to be accessed by bad actors.

Emails, once received, are often archived and rarely deleted.

Additionally, when you send an attachment to someone, they typically download a copy of it, creating another copy of the document you’ve sent that is potentially vulnerable to poor security on their computer. It’s best to think of email and attachments you send to someone as forever in their possession.

If you’re unclear about how good their password protection system is, whether they lock their computer screen when they walk away from it, and/or whether they dispose of their computers and other electronic devices safely and properly when they’ve reached the end of their usable life (for the record, your financial planners here at Sustain Financial always do these things!), you should assume that they could be behaving in a way that puts your documents and your data at risk.

Email mistakes (like sending something to an unintended recipient) account for a large percentage of data breaches.

Non-malicious mistakes, like accidently sending or forwarding an email to the wrong person, currently still account for somewhere between 16 – 36% of data breaches.

That means that even if your email travels securely to its intended recipient, and even if their inbox and yours are never compromised, and even if they have really good password maintenance habits and always lock their computer screen when they step away, once information or a document is out there circulating by email, it’s possible that just carelessness or moving too fast could land your information in the hands of someone unintended.

The best way to ensure this doesn’t happen?

Keep your sensitive information and your documents with sensitive information (like tax returns and account statements, etc.) out of your inbox.

Email may seem like an easy way to transmit information, but you’re potentially paying a high price for that convenience, and it’s best not to get complacent about it.

What Should You Do If You Need to Share Sensitive Information?

First, always consider whether you need to share sensitive information at all. In some cases, the answer is yes – your tax preparer and your financial advisor do need sensitive information to be able to perform their jobs for you. But there aren’t that many people who should need to know your Social Security or Account Numbers, or who need a copy of your W2, 1040, or account statements.

Remember, once you share this information, you are no longer in charge of how secure it is.

You may be great at keeping your computer screen locked and your email access password protected at all times, but if you send an email to someone who routinely leaves their screen unlocked or their email logged in all the time, you may be giving access to their grandkids or housecleaner for all you know.

For professionals who do need this information (for example, we cannot open or manage accounts for clients without their account statements, their Social Security number, and drivers’ license numbers) it’s always best to reach out to the professional and ask them how they prefer you to share sensitive documents and information. Anyone who works in an industry that routinely needs access to sensitive documents should have a secure way for you to share them and should be able to provide you with it.

Take the extra time to ask.

I think sometimes our clients forget how to share documents with us securely and feel like they might not want to bug us to ask. But ultimately, it’s MORE of an inconvenience if they just send these documents or information over email. In those cases, we must then send them a correction verbally or via email reminding them about proper procedure, as well as log their email in an error log on our end, including how we addressed the issue. Any professional who cares about the security of their clients’ docs (and legally, we’re all required to), should have no issue directing you to the secured method of sharing documents or information, no matter how many times you need to ask.

Finally – consider implementing a new habit. We love that most of your email accounts routinely warn you to stop before opening or downloading attachments from potentially bad actors. But we wish they also had a pop-up screen before you hit send that said “email isn’t a safe way to share sensitive information, are you sure this email and its attachment doesn’t contain sensitive information that could be used in identity theft?”

Since our email accounts don’t yet do this for us, try to get yourself in the habit of asking this question before you hit send.