SECURITY RULES FOR EMAIL

EMAIL SECURITY PRIMER

What is email? Email is the equivalent of a postcard in the mail.

Much like a postcard in the mail1, email is not guaranteed to be private or secure in any capacity.

EMAIL IS NOT SECURE

You must assume:

  • Anybody can read anything you send or receive
    • Your email communications are not private. Assume email is like communicating by sticking postcards on the recipient’s door.

EMAIL DOES NOT VERIFY IDENTITY

You must assume:

  • Anybody can set any From address
    • example: anybody can send you a postcard saying “From Your Uncle Bob, Please Send $50,000. It’s an emergency.”
  • Even if the From address is correct, you need to check the To address when you begin a reply.
    • email has two reply targets and the sender controls both. If sender sets a Reply-To field, then From address is not the address where your reply goes. Verifying the From address alone is not enough it guarantee your reply will not be exfiltrated.

EMAIL IS NOT CONFIDENTIAL

You must assume:

  • Anything you send will be made public.
    • Have you seen someone reply-all by mistake? Ever received a confidential forward not intended for you? The only way to stop information leakage is to not send information in the first place.
    • Even if the From address and Reply-To addresses are okay, assume you send to can (andwill) make a mistake of re-forwarding your confidential message/attachment/data on to unauthorized people by mistake.
    • Even if no mistakes happen by accidentally publishing or forwarding an email, your entire email database could be compromised, as we’ve seen with Sony“Hacking” Team, and Syrian interests. Or, maybe your organization falls under legal compliance/discovery and you end up needing to release your entire email archive to the public.
    • The only way data can be safe is to not send it over email in the first place. There are no takebacks when using email2.

EMAIL SECURITY PRACTICES

Before you act on any email, you must:

  • verify the email — STEADY
    • is the email from who you think it’s from? is it hacked? is it spoofed?
  • verify the request — ALMOST
    • does the person asking for data/actions/help have permission to access what they are requesting?
  • consider a reply — NOPE
    • does it make sense to reply? should the request be going through other channels?

FIRST: VERIFY THE EMAIL

How do you tell if an email is legitimate? Stay STEADY.

  • s — style / syntax

    • Is an email sent from your American manager, but it sounds like it’s written by someone who doesn’t speak English well?
    • Does an email use awkward phrasing like “I need you send me in PDF file type?”
    • This test can be less relevant in a multi-lingual organization where either the originator of a message and/or the recipient of a message aren’t familiar with a common set of grammar rules.
  • t — time

    • Did you receive an email at an unexpected time? 3 a.m. on a Saturday? On a Tuesday when you know the sender is on vacation for a week? Is the message asking for immediate, ASAP, RIGHT NOW, urgent data even though the employee has been out sick for a month and won’t be back for another two weeks?
    • Just because an email says “ASAP” or “URGENT” or “I AM YOUR BOSS. DO THIS NOW.” does not mean an email has any more legitimacy than a stranger on a street telling you they are your boss, do as they say right now.
    • Don’t be tricked into time pressure for violating data safety practices.
  • e — envelope

    • You must assume email works like regular hand written postal mail.
    • With postal mail, anybody can write any From address on any envelope and send it to you. The same goes for email. Just because the From address looks familiar does not guarantee the message is genuine or authentic.
    • Even if all the addresses check out, but the request is still weird, you can’t be certain the sender’s account or computer isn’t compromised by a hostile actor. Never trust, always verify.
  • a — access

    • Is an email asking for something unusual? Why is an email asking you to do this? Are you the regular person who handles requests like this? Is this even a standard request or a one off special circumstance you’ve never seen before?
    • If the person asking for data already has access, why are they asking you? Are they trying to circumvent access controls or their own locked out permissions?
  • d — data

    • Is an email asking for personal data or confidential records? Why does the person asking need the information?
    • Just because someone is above you in an org chart does not mean they automatically have rights to all information you have. The CEO of your company should never have direct access to export all employee personal records just because they request it.
  • y — you

    • It all comes back to you. Why did you get this message? Should it have gone to somebody higher up? Somebody in another department? Are you able to complete the request, but it isn’t actually your job?

SECOND: VERIFY THE REQUEST

Now you’re ready to ALMOST do what an email asks of you. Begin to verify the request.

  • A — ACTUALLY

    • Are you the right person for this request? Don’t go out of your way to compromise information. Should you just reply “Actually, I can’t do this and I’m including our security officer here to verify this is a valid request. Have a nice day.”
  • L — LATER

    • Everything can wait. Don’t let a sense of urgency trick you into compromising private information. If an email demands ASAP and RIGHT NOW time frames for circumstances you’re unaware of, don’t let scary words of immediacy drop your security mindset.
  • M — MAYBE

    • Are you not sure? Ask. There are no takebacks in email.
    • If an email sounds strange or includes unusual requests, contact an authorized authority figure in person to verify the request. Once you begin receiving strange emails, you must consider your entire email system could be compromised, so attempting to conduct further verification/confirmation over email would not be valid.
  • O — OFFLINE

    • Should you be delivering this information offline? Should you be delivering a link to the data that’ll exist behind the company’s two-factor auth system instead of just copying the corporate quickbooks file into an email?
    • Even if you do send a “secure link” instead of an attachment, there is no way to verify the receiver’s entire computer isn’t compromised and any data you send may leak anyway.
    • Only send data the receiver is authorized to own and copy and release without your permission. Once someone has a copy of data, you can’t stop them from sending it to others.
    • Always be willing to provide more secure results outside of the original communications channel.
  • S — SENSITIVE

    • Is the requested information sensitive? Why is it sensitive? Why the person asking you and not someone else?
    • Are you the right person to deliver this information or are you just perceived as a weak and easily persuaded target for scammers?
  • T — TALK

    • Email isn’t the only way we communicate. If you have any problems with unexpected electronic requests, talk to one or more people over non-email to verify the request. If your email channels are compromised, you can’t accept a verification over email because the emails are coming from inside the house.

THIRD: DECIDE ABOUT REPLYING

If anything feels wrong, you always have the right to NOPE. You have the right (and obligation) to refuse any email request until you verify you will not personally be held responsible for any damages or losses incurred by improper use of any information you provide in a reply.

  • N – NO

    • If you feel something is wrong, don’t be pressured just because an email looks like it’s from a “higher up” or because an email itself says it’s “urgent.”
    • A fraudulent email can be sent from any account. Given an unusual requests, you must verify through non-email channels what exactly is going on.
    • Always be willing to reject any request even if it just sounds strange.
  • O – OUTSIDERS

    • Assume any email you send will be intercepted by outsiders. Are you okay with what you’re about to send (including attachments) being put on public display?
    • Could what you’re sending be damaging to the company or to the personal lives of employees if it gets released for anybody to download? If so, consider not sending highly private information over email. Use more secure channels with less easy mass-duplication possibilities.
  • P – PEOPLE

    • Verify unusual or unexpected requests with people in person.
    • Do not reply to questionable emails to confirm requests. If a request is questionable, an entire email account may be compromised and under an attacker’s control. The owner’s entire computer may even be hijacked by remote tools. You must verify odd requests with people in a non-anonymous, non-text-only capacity.
    • Don’t make mistakes easily avoidable with actual human communication.
  • E – ETERNITY

    • Once you send an email, you can’t take it back. Assume any email you send will be copied and forwarded internally and externally. Are you sure you want to send that email?
    • If you send confidential information, assume your recipient is slightly incompetent and may also forward the message by mistake. Are you okay with the CEO forwarding all company salary data in an attached.xls file to a reporter by mistake? If not, don’t send the information over email.

TECHNOLOGY IS NOT THE ANSWER

Using current commonly accepted email practices, no automated system can verify the personal source of an email or even where your reply will go3. You must always exercise your own judgment.

QUICK EXAMPLE

If you receive this email4, what do you do?

Date: Sat,  2 Apr 2016 03:07:01 -0700 (PDT)
From: [Your Actual CEO's Name] 
To: [Your exact name]

I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, 
I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

STEADY

Style? It just sounds wrong. First, it starts with “I want you to send me…” — emails should never start that way unless the sender is incompetent5. Second, “the list of W-2 copy of” is awful wording. Third, “wage and tax statements” is awkward wording. Forth, “I need them in PDF file type” is awkward wording. Fifth, “send it as an attachment” is trying to coerce your actions and short circuit your judgment to their benefit instead of using perhaps more proper internal tools for transferring sensitive data. Sixth, “kindly prepare” is awkward wording. Seventh, “asap” is an attempt to have you fold to time pressure and not consider why this request even exists.

Time? This message was sent at 3am pacific time on a Saturday. Is that reasonable? Let’s also assume you know the sender is also on leave from work for a few weeks. That’s a big red flag right there. You already have more than one reason to ignore this request and seek other sources of validation.

Envelope? The From address looks fine here, right? Does it? Did you notice yourcompany.com is actuallycompanaay.com? Most email platforms these days intentionally hide real email addresses in favor of only showing sender names6, so you need to dig deeper beyond just the name to figure out all the details. Plus, we haven’t yet seen if there’s a completely different Reply-To address yet.

Access? Why does your CEO need access to all employee records as files? Under no circumstance should your CEO be walking around with all employee confidential records on their person7. That’s reason enough to reject the request right there without obtaining a documented personal liability waver.

Data? How private or confidential is the requested data here? Very. Meaning: you must be extra cautious with how you analyze and handle this request.

You? At this point, you’ve already discovered this email isn’t quite right.

ALMOST

Actually? Now it’s your responsibility to inform the sender “Actually, giving this information to you would be a breach of professional data safety responsibility practices. I’ll need in-person authorization and a waver if you need this handed over.”8

Later? Ignore the “asap” — do not give in to false time pressure.

Maybe? Either ask the sender in person/phone or find someone higher up to vouch for the request and absolve you of personal liability—in writing—if the requested data is misused.

Offline? Confirm the situation offline. Since the original email is already strange, don’t trust email for further authorization. Imagine if instead of “reply by email attachment asap,” this email said “print all these records and mail them to the anonymous PO BOX listed below.” Would you still blindly follow orders of an already questionable email?

Sensitive? The data requested here is highly sensitive and can expose your company to tens or hundreds of millions of dollars in liability. This isn’t a “sign Carl’s birthday card” email reminder.

NOPE

Outsiders? How bad would it be if “the list of W-2 copy of employees wage and tax statement for 2015” ended up going to someone outside the company? It would be a disaster. Do not voluntarily participate in disasters, even if you are being coerced by rank or false time pressure.

People? Have you verified this in person over a non-electronic, non-text interface?

Eternity? How bad would it be if you made a mistake and, by mistake, typo’d/auto-complete’d the response to an external email list or to a wider company reply-all group? How bad would it be if, after you sent the data, it got re-forwarded somewhere else by mistake? The even outside chance of confidential data leaking is dangerous enough for you to never ever entertain sending this kind of requested data over email.

CONCLUSION

Email is awful.

Even though email is awful, that’s no excuse for not knowing how to mitigate email attacks targeted directly at you.

Email was not designed with modern active threat models in mind, and scammers know it. Scammers also know non-technical people aren’t “trained in email” and don’t know secrets of email like “anybody can set any name” or From is not Reply-To.

You must always use your own judgment regardless of what you think the source of an email is. Even if everything in an email looks okay but the request sounds strange, there is always the possibility somebody’s entire email account is compromised and under the control of not-the-owner.

Only by using your individual judgment, life experience, and knowledge of people you communicate with, can you stop email privacy disasters from happening over and over again in the future.


  1. Without the federal legal protections against non-receiver opening or mail fraud
  2. Why can’t automated systems help us here? There’s always the possibility the sender’s entire email account or computer has been stolen/hijacked and every reply will be intercepted by third parties. Encryption doesn’t help. Two factor authentication isn’t a safety guarantee if the system is infiltrated. Only your judgment and strength against blindingly following any request just because it has a powerful From address can save your interests.If your email system allowed senders to physically verify their emails using a U2F device, then you could be sure the sent email is valid, but you still must assume any reply you send can be intercepted by third parties. You can never assume the competence or security of a remote system when replying using email. Even with receiving a signed email, you still can not be certain extremely outlying requests are not being coerced or monitored.
  3. This exact email has successfully tricked employees into voluntarily sending private company details to anonymous third parties.
  4. Detecting phishing on iOS Mail is a pain because in an effort at Extreme User Friendliness, Apple hides all headers and email addresses in all messages.
  5. This is also ignoring an entirely different topic: why does one person in your company have access to mass-export private data with no logging, flags, or auditing?
  6. If you inform the sender over email, since this is a strange request, you should delete the automatic To address your email client creates for the reply. You should manually type a known-good email address for who you think the sender is. You don’t want to make a mistake of replying to a scammer in any capacity, even if it’s just a rejection.