According to some
phishing statistics, in 2019, an average of 279 billion emails were sent every day. And this number is expected to grow to 347 billion by the end of 2023. Although this includes both consumer and business emails, about 124 billion of the 279 daily emails are business-related. Given the amount of business-related information contained in these emails, these numbers represent a significant potential for data leaks and other cybercrimes.
Indeed, email phishing using under the guise of an encrypted email message is one of the most effective cybercriminal tools. Phishing with email occurs when an unsuspecting user clicks an embedded link and/or opens a seemingly harmless attachment. Because the email looks legitimately encrypted, the cybercriminal gains secret access to your personal data. Worse still, the phish gives the cybercriminal access to other user data that is connected in some way to the first email user.
What makes email connected phishing attacks particularly nefarious is the way some mask themselves as secure encrypted email messages. For example, a user receives an email asking her to reset their online banking password. The message looks official. The user assumes it came encrypted only to discover the message’s true intent. Her bank account’s balance reaches zero.
Incidentally, this brings up the issue of email encryption and what it technically means. While most will probably never think about email encryption, a brief look at its purpose and use are fundamental to protecting your personal data.
Email Encryption’s Purpose and Why it’s Used
Answering the question “what is email encryption?” comes from defining its purpose and why it’s used. As the above introduction alluded to, the purpose of email encryption is the protection of information;
here’s how it works. Consumers need to trust their email communications are protected from cybercriminals. Businesses must have a secure way of communicating with employees and other businesses. Thus, consumers and businesses use email encryption for privacy and to secure sensitive information.
Encryption Using the Public Key Infrastructure
One often-used group of encryption keys is the Public Key Infrastructure (PKI). The sender uses a public key to encrypt the email message. On the receiving end, the user has a private decryption key. Consequently, anyone can use the public encryption key to encrypt a text email. However, only someone with the correct private key could decrypt it. One drawback is, without STARTTLS, services like Gmail would not be able to check email for viruses and malware.
S/MIME and PGP/MIME Encryption Protocols
The two main sets of email encryption protocols are S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP/MIME (Pretty Good Privacy/Multipurpose Internet Mail Extensions). Apple, Microsoft Outlook, and Google, among others, use S/MIME. It is built into the web-based email infrastructures and uses a centralized authority to choose the encryption algorithm.
PGP/MIME relies on a decentralized trust model. The PGP/MIME protocol was developed to address security issues surrounding plain text messages. This gives a user more flexibility but requires third-party encryption software. Notice one is “secure,” and the other is “pretty good privacy.” This is a critical point that users should consider.
Although Gmail does have “secure” email encryption built into its system, it must be enabled on both ends. If your organization or business uses Google’s email service provider and is trying to figure out
how to send encrypted email in Gmail, consider enabling its S/MIME functionality on both ends. Thankfully, Google does provide detailed instructions on how to do this in its help pages.
Green, Gray, and Red: How to Tell if Your Gmail Message is Encrypted
While enabling S/MIME encryption in Gmail, note the three levels of encryption. Green means the email communication is protected with S/MIME. Gray means the email message’s protection comes from Transport Layer Security (TLS). Consequently, gray only shows up if both sender and receiver have TLS capacities. Finally, red means the email is not encrypted.
Transport Layer Security Protocol
Sending plain text messages over the internet has an inherent security flaw. With the right software and procedures, anyone can intercept the message while it is in transit. To solve this security flaw, the technology sector developed
Transport Layer Security (TLS). This significant development is also used in secure web communications (HTTPS) and has become standard. Consequently, most email servers and service providers support TLS.
The most common use of the TLS protocol is opportunistic TLS. This is an extension added to plain text messages that automatically upgrade it to an encrypted message while it is in transit. This avoids the need to put the message through another portal for encryption. Many protocols use the STARTTLS command, which is like temporary encryption that reverts to the original plain text message. One advantage of this is it can be used regardless of other protocols used, giving users an added level of security. As of 2018, Google reported that 90 % of all incoming and outgoing email traffic used STARTTLS.[i]
What is End-to-End Email Encryption?
Ideally, protection should come from
encrypting information at three points: when it is sent, while it is moving through the internet, and when it is received. This is called end-to-end encryption (E2EE). Although the STARTTLS command can protect email communication while in transit, both the sender and the receiver must have a decryption key.
The Personal Email Certificate
One technology often used for encrypting email is a personal email certificate. This method digitally signs the email message. One benefit is it reduces the number of spam messages sent using your name and email address. Conversely, the digital signature lets recipients know the message came from you and does not contain viruses and/or malware. Personal email certificates are often used with S/MIME protocols.
In closing, anytime you send an email, you should know if it is and will be encrypted at all three points along the email’s journey through cyberspace. Over the course of developing email technology, some standard protocols have emerged. However, there is no one-size-fits-all solution. Although a Gmail user can enable email encryption, this only goes so far. The best solution for your email encryption needs is using a company such as Trustifi, which comes with
many benefits. We offer a complete line of security software choices that protect your sensitive data, including email encryption.
