Sending emails with confidential attachments

dee001

dee001

Member
Reaction score
9
Hello all, I have a customer that is sending emails with attachments with credit info, I normally advise them to share a link from their google drive but now I see Gmail has encryption is this now the best practice with sending confidential attachments by email?
 
If you're not using encrypted email then encrypt the attachment, that's for certain. If you have to resort to an encrypted ZIP file, then do.
 
So encrypting the email is better than sending the google drive link, my concern is that the link can be opened by anyone. Also does sending it with encryption turn-on does that meet all of the regulations of sending personal information such as credit and social security info?
 
dee001 said:
Also does sending it with encryption turn-on does that meet all of the regulations of sending personal information such as credit and social security info?
Click to expand...

If end-to-end encryption is being used it would, but, it is very seldom that you can be sure that this is the case. If the recipient is, say, using an email client that's outside the end-to-end system the message will be decrypted when it "jumps out" of that ecosystem during delivery. That's why, if I have to send this sort of content, I encrypt an attachment in which it's contained then send the password/key for the attachment separately.

You control the encryption on things you encrypt, even if those are being sent via completely unencrypted email afterward. They can't be opened or viewed without the key/password.
 
dee001 said:
So encrypting the email is better than sending the google drive link, my concern is that the link can be opened by anyone. Also does sending it with encryption turn-on does that meet all of the regulations of sending personal information such as credit and social security info?
Click to expand...

You have to look at different methods of encryption.
Some....only do "encryption while in transit". Was more popular years ago when one email server sent to another email over the "public highways of the internet" and it was not often encrypted. But in modern times, >99% of email servers all support and use "opportunistic TLS". So from mail server A to mail server B...it's usually encrypted anyways now.

But you can also "password protect" encrypted email, such as..with Googles "Confidential" mode....they request a code to be texted to unlock. Or, with M365 encrypted email, a similar feature. The code is needed to "unlock" the email. Because...yes, you can be suspicious that the recipients mail account is not sure, possibly compromised by someone who phished their password years ago and is watching their mailbox.

Yet other 3rd party providers such as Proofpoint...you have a middle man account that you log into a web portal to review/send secure emails, with MFA.
 
YeOldeStonecat said:
Yet other 3rd party providers such as Proofpoint...you have a middle man account that you log into a web portal to review/send secure emails, with MFA.
Click to expand...

Which, at least if you're sending to someone like me, you use as a last resort. This is the most inconvenient method and it's one that virtually all medical practices now use.

Favor the ones that were mentioned earlier if you have that option.

Also, you have to think about what it is you're trying to protect and the probability of interception in the first place. If you send an unencrypted email, with an encrypted attachment, but send the password/key to the recipient using either a different email address or text message, the probability of that being compromised is quite remote. You're trying to prevent casual snooping and "smash and grab" cyber techniques, not prevent the NSA from seeing something (which they will, anyway, if they're watching you intentionally).
 
britechguy said:
Which, at least if you're sending to someone like me, you use as a last resort. This is the most inconvenient method and it's one that virtually all medical practices now use.
Click to expand...

Agree...that added layers of security...bring inconvenience.
Some places have/want policies that protect the individual email itself (and its attachments). It isn't own secure system.
Getting popular with accounting firms, insurance agencies, Realtors/brokers, mortgage services, etc.

Having your identity stolen, or other PI....much more inconvenient and damaging over many...many years, than the couple of minutes it took to create a login at a secure portal.
 
YeOldeStonecat said:
Having your identity stolen, or other PI....much more inconvenient and damaging over many...many years, than the couple of minutes it took to create a login at a secure portal.
Click to expand...

Well, I can't argue with that.

But there are easier ways to send this stuff with an equal level of protection as far as I'm concerned. But I've come to accept that however the sending entity wants to send something dictates how I receive it. But when I'm the sending entity, I encrypt attachments that need encrypting, and only those, and send via regular email.
 
That 3rd party integration isn't an extra layer of security, it's a layer of insecurity requiring a user to click on a link in an email to facilitate.

Those notices are commonly fraudulent and sent as part of a scam.
 
Sky-Knight said:
That 3rd party integration isn't an extra layer of security, it's a layer of insecurity requiring a user to click on a link in an email to facilitate.
Click to expand...

You're right if that's how they present it. But many don't. My doctor's office, for instance, sends out an email message saying you have a new message in the patient portal and that you should log in to the patient portal to retrieve it. They don't give a click-through link to the patient portal as anyone receiving this sort of message should have already signed up/in and have it bookmarked or otherwise noted.

Still a PITA, though.
 
Yeah, but it's also the only secure way to deliver files. There really aren't any great ways to improve this either, unless we unify the world's identity systems. And I really don't want to see Google, Microsoft, or anyone else owning the master keys to everything we all do. As much as I love the way M365 and Azure do all this... It doesn't belong absolutely everywhere.
 
Sky-Knight said:
That 3rd party integration isn't an extra layer of security, it's a layer of insecurity requiring a user to click on a link in an email to facilitate.

Those notices are commonly fraudulent and sent as part of a scam.
Click to expand...

The "smart" businesses that use these things, do what BriTech mentioned above....educate their clients in what to expect, how to use it,.
 
YeOldeStonecat said:
The "smart" businesses that use these things, do what BriTech mentioned above....educate their clients in what to expect, how to use it,.
Click to expand...

And smart end users educate themselves about how to look at a click through link down at the lower left hand corner of the browser, when hovering over it, to see if it even looks legit to begin with.

I do click through on a number of links I get from my service providers in email after I've looked and seen that what the actual link happens to be is something I would be entering by hand.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
How long after I delete a team can I recreate it as a shared mailbox, or am I doing this wrong?
Replies
7
Views
175
thecomputerguy
thecomputerguy
Appletax
[REQUEST] Free Version of Outlook Keeps Reinstalling
2
Replies
20
Views
1K
britechguy
britechguy
HCHTech
Email authentication help
Replies
7
Views
823
Sky-Knight
Sky-Knight
johnrobert
Mac Mail
Replies
6
Views
568
timeshifter
timeshifter
Rosco
[SOLVED] G suite for Outlook sync tool
Replies
7
Views
783
callthatgirl
callthatgirl
Back
Top