Are Email Attachments Secure?

No, they aren't, but it's good to get a proper explanation as to why

Photo credit: Photo by doctor-a on FreeImages

Jamie Robinson

Founder of Mashoom and a mechanical engineer. Passions include teaching, questioning the status-quo and working too hard.

Written

7 min read

Contents

Before getting into email attachment's flaws, we should first take a few steps back to look at how emails came to exist. They were first born in the 70s, back then what people expected from them was much less than today. At this time the internet was a bright new world where we would all hold hands and get along. To put it into perspective, the first computer virus found in the wild was in 1981, it was the 90s before they started to be seen as a real and everyday threat.

Due to this history, the base concept of emails are both simple and not designed for today's level of cyber security. It's easy to say "it should have been" in hindsight, but people thought the whole internet was a fad not too long ago.

They Are A Gateway For Bad Stuff

So, here is the first fundamental issue; an email is downloaded, often along with it's attachments before you have previewed it. There are exceptions to this, most modern email clients don't do this for emails marked as spam and you could only access emails through a browser. However, as we will start to get familiar with on this topic; these improve the system in some cases but don't guarantee a solution.

This means that anyone can send you an attachment and often it will be saved onto your computer's hard-drive. At this point you have broken an important line of defence in your cyber security; dodgy files should be on your computer in the first place! You are then relying on you operating system and / or anti-virus software to detect and clear up that attachment, or some other second line of defense.

They Are Not Encrypted

The above isn't great, but unfortunately we are not finished; emails are not encrypted by default. Again, this goes back to the history, HTTPS (the defacto standard for securing internet communications) was invented in 1994, ~20 years after email. This means that legitimate email attachments could be intercepted or forged, meaning that potentially a sensitive attachment could fall into the wrong hands or even an attachment from a trusted sender could be replaced with a virus.

It would be unfair not to expand on the word "could" in the above; most emails are encrypted in transit. The issue is that whilst things are improving there is still a big risk. Both the sender and receivers email servers must have encryption enabled and working correctly, it takes two to tango!

Encryption is used where possible, but as standard an email will be sent or received without encryption if it isn't available. There are a few email services that allow you to enforce an encrypted connection, but the vast majority don't offer this as you probably still want to be able to communicate with someone even if they haven't setup encryption. It's also not quite this simple, encryption methods become flawed over time as advancements are made in computing power, so there is actually a sliding scale as to what is acceptable vs completely secure.

So unless you have a funky setup, you don't know that your receiving from a secured server, neither if you are sending to one; you have no way of checking or enforcing a secure connection.

Big Files Kill Inboxes

This is slightly off topic from security but it's worth a mention. We have all been there, the lights dim, your computer internet connection dies and after a long while you realise it's because some nutter is trying to send you 4Gb of video via an attachment. Again, emails were invented when 1Mb was big and whilst the grunt of a modern computer and internet connection can make do, it certainly isn't ideal.

Apart from anything else, email inboxes storage space is very expensive to use as file storage. Think of the data costs for the phones that attempt to download the attachment as well!

They Can Be Used to Track You

This is a classic trick used by pretty much every email marketing campaign and most notifications from online platforms. An image attachment points to a URL, lets say "www.mashoom.co.uk/emailAttach.jpg?trackID=XXX", but notice the last part which is unique for every email that is sent. When the email arrives, the attachments are fetched by the client, in doing so the server can log the ID whilst providing the attachment.

This provides a metric that loosely lets the sender know who is opening their emails, albeit as explained previously, it's not a clear picture when an attachment is fetched.

For the sake of interest, we don't do this at Mashoom. We embed our images into the email, our emails are a bit bigger as a result but they always open nicely and we can't track you. The base email standard dictate a notification is returned if emails can't be delivered, so we don't really see the need to collect even more information about our users.

OK, What Is The Solution?

Firstly, don't send them. Then, if someone sends you an attachment, simply reply saying "I don't trust attachments, please send me this via another means"; read on!

Mashoom has built something precisely for both these scenarios. Our Share module allows files to be transferred in a secure method whilst still utilizing the ease and simplicity of email. Files are uploaded to Mashoom, then a unique link to those files are sent to one or more recipients of your choosing via email. The recipient clicks the link and the files are downloaded without ay signup or further input.

Mashoom enforces that strong encryption is used in transit, therefore you can guarantee your files will be delivered un-altered. The recipient actively chooses when to download it and it arrives in their downloads folder, no dead inbox or mobile data connection!

We also provide a solution for when you want to enable someone to send files back to you; our file sharing portals. Very simply, you can send an email that allows the recipient to upload and send files back to you in the same way as above. No sign up required by them; one click to open the link, select the file(s), then one click to send them.

What if people try to send me dodgy stuff? How do my recipients know I'm sending them trustworthy content? Easy; Mashoom can virus scan all files that are sent, and we let the receiver know in their email. In addition to this we employ a range of method to stop our emails being forged; if someone receives a Mashoom email saying they are being sent virus scanned files, they can be confident it's safe.

As a small note to corporate readers; If you have an IT service provider of any sort, or even the means to configure your email server, you can strip attachments from inbound emails and prevent them being sent. This removes the threat for your organization, rather than spending big money of virus scanning etc as a second line of defense. The above solution provides a workable method to make this work, we have clients who are happily setup like this.

The Conclusion

Many many attempts have been made to replace emails, for the reasons above and others worthy of more blog articles. Emails will always have one foot in the past and by their nature it's difficult to see how they will be completely upgraded. On the other hand everyone has them; they are by far the most standard way to communicate on the internet.

So, until the world moves onto something better (never say never), the biggest issue / risk by far are attachments. Therefore to keep yourself safe, I would advise looking at ways to reduce or remove them from your inbox and of course, check out Mashoom whilst you are looking around for solutions 😄