Welcome to the insecure email hall of fame. What we're about to show you is a real email. From this week. Sent from a bank to a client.
We're in a world where email accounts get hacked all the time (e.g. credential stuffing), and there's no telling whether the sender or receiver have laptops, tablets, and phones sitting around unlocked. And we'll bet anything communicated on this email chain remains in the Sent Items folder of the sender for decades, and possibly in the Inbox of the receiver for decades. Did we mention there was an unrelated party on cc?
This is not where you want your sensitive personal information hanging out for all-time, while present and future attacks repeatedly attempt to access our email accounts.
Without further ado, I give you our newest nominee for the insecure email wall of shame:
Before we move further into what's wrong with this email, let me just reiterate that this is a real email from a real financial institution, this week. Not a phishing scam. Not an email from the 1990s. A real, current email from a financial institution.
Here are the top reasons why we are nominating this message for our Insecure Email Wall of Shame:
If you work for a financial institution, please don't follow any of the insecure email practices observed in this wall of shame nomination.
We've talked about secure email before. If you must exchange some confidential or personal information with someone that you primarily communicate with via email, make it an authenticated email like the one that we demonstrated in this video about sending medical information. Or place a file on an authenticated share, like a Google Drive folder that only you and the recipient can access (with permissions locked down to only the two of you). It's not that hard, and it's for the safety of all involved.
Thanks for reading. Have any other insecure email examples that you'd like us to consider for the Wall of Shame? Drop us a line.