Email per se is not more perilous than other techniques used on the internet but there are some aspects that relativize this statement. While other techniques are more and more dominated by big internet companies which are able to protect their business, email is a decentralized technique as the whole internet had been in the beginning. Furthermore users have built myths around email mostly inspired by allegories deduced from the good old postal communication which lead to the same results but has been protected by law and tradition. But internet and its TCP protocol build a highly failsafe, not centralized infrastructure which is on the other hand highly vulnerable. The myths or lack of knowledge lead to an ignorance that is high-graded. As contents communicated by email are mostly more sensitive than contents communicated within messaging services or chats it is astonishing that apparently nobody or just some unheard people campaign for email security. But, and this is for you, usage of email requires cautiousness the more if you may relinquish any security measures.
In the field of email the following numerated perils might face you (the list is surely not complete):
- Confidential messages (any messages that, if published, would vulnerate the privacy of third parties) might be spied on. It is possible that a secret service or criminals read the messages directly on the internet. It is possible that the same actors, visitors or members of your family might access your email archive. Your computer may be stolen or you may forget it on the train. Not least your email account could be secured insufficiently e.g. by a password that is too simple.
- Messages can be fake. As I explain in section "Email" the header of a mail is not a proper information to validate trustworthiness of a message. The sender may be fake as any header entry. It is even possible, and not difficult, to manipulate serious messages like newsletters. Criminals just have to alter the "To:" entry and replace targets of some attractive links e.g. to a webpage that automatically pushes malicious software. Most criminals are not skilled enough to use these possibilities today but future comes. Today you must invoke malicious contents by clicking on a link or downloading attached files and today it is not a completely wrong statement that cautiousness helps.
- Messages could be embezzled e.g. by employees who feel themselves treated unjustly or simply want to get financial advantage from selling data.
How should we face these perils?
- Confidentiality. Messages encrypted by the sender are confidential. Only the recipient whose key has been used to encrypt can read them. But recipients often dissolve the confidentiality by archiving decrypted messages or by replying a message including the cited original not encrypted or by forwarding the decrypted message. Confidentiality requires consistent encryption. Replies should be encrypted, forwarding needs new encryption using the key of the new recipient, archived messages should be hold encrypted.
- Account hijacking. If somebody succeeds in accessing your email account he may read any message held on the server and you will not recognize such attacks. Furthermore he may send mails from this account. Choose a password that is not simple and is not an existing word. Follow the recommendation to mix upper case characters, lower case character, digits and special characters. Medium-dated we should protect email accounts by cryptological techniques (client certificates). Often it is very easy to obtain access to email accounts. Mostly login requires the email address and a password. If you use a simple password like your marital partner's name or the name of your dog it is a silly game to divine it. Be aware that social engineering is an upcoming technique of hackers especially if the subject of the attack is a prominent person, a big company or a governmental institution. Email providers will log such attempts to access accounts and will warn you.
It is comfortable always to use the same password as many web pages require one. You should except your email account from this practice. You have to ask yourself which information an attacker would get if he succeeds.
Fake, disinformation, malicious software like viruses or trojans. As the email header is not reliable information you have to be careful. Email providers use software to detect such malicious messages, if you use your own mail server you should protect it by "Spamassassin". As senders of malicious email use to alter their servers periodically all these measures do not ensure hundred-percent-protection.
Most email clients show the name of the sender but not the email address from the header. If you get a mail from "Barcleys Security<firstname.lastname@example.org>" the mail client shows "Barcleys Security" as the sender. Nowadays more transparency might be helpful, but in future the email headers will be completely faked. If you are not sure about the identity of the sender you should reply to the mail and ask for confirmation. If the mail has been faked either you will get a message that your message (reply) could not be delivered or (if the mail address exists) you may get a warning not to trust it.
There is only one way out of this quandary: Sign your mails and accept only signed mails. Nowadays this escape is not practicable as nearly nobody uses the required techniques.
Links. One of the methods to distribute malicious software are links to web pages. You should use an email client that shows hints about the links placed in an email text. If you will trust the address shown is your decision.
Attachments. Malicious software might be hidden within attachments to the mail. You should not open an attachment out of your email client but save and check it if you think to know the sender. Attachments from unknown senders should be deleted at once.
- Embezzlement. There are less measures against embezzlement. Most promising is traceability of the workflow. If you know which persons handled messages you can proceed against them. Best measure is consistently signing any message.