Why is email not secure?

Email as a platform can be very secure when set-up and used correctly. This would however require all participants in the email chain to have their email set-up securely and more importantly, for them all to use it in a secure manner.

The unfortunate reality is that with the number of parties being involved in an email communication thread and the lack of formal training aimed specifically at email security and best practices, email is generally not very secure. For this reason, fraudsters have been targeting the email platform with fair success and the fraudulent “attacks” are only on the uptake.

While many emails can and do become compromised through hacking, viruses and interception (where a device along the email path between sender and receiver is hacked), the 3 major elements relied upon in successful fraud attacks are currently Spoofing, Phishing and poor password management.

Spoofing is when an email is sent with the intention of appearing to be from a particular source while the true origin is from a fraudulent source. This is done by taking advantage of the fact that most email browsers only display the email “From” information in an easy to view area.

Every email contains 2 parts of information pertaining to the mailbox of its origin namely the “Header From” and the “Envelope Sender”. The “Header From” is the information that is displayed to the recipient under the “From” heading and the “Envelope Sender” is the actual mailbox that sent the email. In most cases the “Envelope Sender” is the same as the “Header From” but there are many legitimate reasons for these to differ (eg. a company sends marketing communication via a bulk email provider but chooses to have the email appear to come from their own mailbox for purposes of legitimacy and branding).

Fraudsters would use an email generating platform to create an email where they specify the “Header From” according to their needs. The “Envelope Sender” information is contained within the header information of the email but is not displayed on most email browsers and this “feature” is then used to mask the true origin of the email. You could for instance receive an email that appears to be from legitimateperson@safemail.com (this will be displayed in the From field) but the actual source is fraudster@fakemail.com (this information would be displayed in the “Envelope Sender” detail but would generally not appear in plain view). This results in an email that for all intents and purposes appears to come from legitimateperson@safemail.com but actually comes from fraudster@fakemail.com. This method is often used to send a person “fake” banking details in a manner that lends them to trust that it was sent from the legitimate company. The “fake” banking details would be that of the fraudster and they would steal the money that was transferred into the incorrect bank account by the unsuspecting victim.

Phishing is defined as:
“the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” – Oxford Languages and Google

In simple terms, Phishing is just an email that is sent out to multiple email addresses with the hope that some of the recipients will fall for the “fake information” supplied in the email and inadvertently supply them with information such as passwords. Phishing is often used in conjunction with Spoofing to make the email appear more legitimate with the hopes of catching more victims. An example of Phishing would be an email that is made to appear to come from your email provider that states that your mailbox is full and that you will no longer receive any email. You are provided with a link in the email to rectify the problem. The link takes you to a fake website that appears to be that of your email provider and prompts you to log in. You enter your log in credentials and then get presented with a web page presenting you with some options to automatically reduce your mailbox size, a message then appears advising that your mailbox is no longer full and that all has been resolved. You continue with your day thinking that you have simply cleared some unnecessary email clutter but you have in fact supplied the fraudulent parties with your username and password (in this instance for your email account). The fraudster can then access your email account and view, delete or send emails, often without your knowledge.

An email account that has been compromised will remain compromised until the user changes their password and many users hardly ever change their password. In that time, any email received that refers to a requirement for the individual to make a payment is deleted by the fraudster and a new email (usually spoofed to appear to come from the original sender) that contains the fraudsters banking details instead of the correct details is then sent to the individual. The result being that the individual pays the fraudster instead of the original sender.

While Phishing is frequently to blame for people giving away their password, this can also be done through poor password management.

There are many online platforms that we make use of, some regularly and some only once-off. As we are required to create a password for secure access to the online platforms, we end up with too many passwords to successfully remember. To combat this, people often use the same password (or a fairly limited list of passwords) for all of these platforms. They also seldom change or update any of these passwords. In the event that one of these platforms is hacked (which happens more often than one would hope), the full list of usernames along with passwords is then often made publicly available by the hacker, usually on the Dark Web. The username for many online platforms would be your email address. Fraudsters will attempt to access the email address supplied as the username with the supplied password.

Companies, like STBB, would ensure that they have their email set-up securely along with software to automatically block and remove any known Phishing emails or emails that appear to be phishing related. They would train their user base on avoiding the Phishing “bait” and would also force their users to change their passwords frequently and to use well-formed, secure passwords. They would also implement processes and procedures to ensure correctness of information such as banking details before making payment. These measures would protect the company but would unfortunately offer little to no protection for their clients who may already have compromised email accounts through one of the aforementioned methods.

We urge you not to click on links in emails that you are not expecting and to verify the authenticity of emails containing important information such as banking details. Double check any links in emails and make sure that any link you do click on takes you to a valid login page (it would be safer to type the URL of the link into your browser yourself rather than clicking on a link). Never use passwords that are simple to guess like “Password”. Most of all, we urge you to change your passwords frequently, especially before and during the process of any transactions that would require the payment of large sums of money, such as property transactions.

While STBB prioritises the security of our data and email systems, we also value the security of our clients. For this reason, we have created the STBB Direct mobile app that now houses our eVault module. The STBB Direct app along with the eVault module will be used for sharing important and potentially sensitive information in a secure method, avoiding the security pitfalls associated with email as far as possible.