Sending an email is much like posting a letter through the U.S. Postal Service: if you’re don’t want prying eyes to read the contents, you seal it in an envelope. Most people prefer to keep their communications private, which is why they use a secure, encrypted email option to send their personal and private emails.
Emails that don’t employ security are prone to hacking, which makes it easier for scammers to obtain and use sensitive information to harm you or others. That’s especially true when emails travel over public Wi-Fi networks that are often unsecured—but even a secure network can be at risk.
What is encrypted, secure email?
Email encryption can be defined as disguising the content of an email message in order to protect its contents.
Email was not designed to be a secure communication. When it came on the scene decades ago, the internet was limited and people just wanted a simple way to communicate between computers of all types. There was no standardization between computer systems, networks, devices, and servers. As the internet and computers evolved and grew into multi-billion dollar businesses, people began to use email for more complicated communications.
According to Statista, complaints about email fraud are the third-most reported customer complaint filed with the Federal Trade Commission in 2018. Schemes like phishing, a form of fraud that can include a scammer gaining complete access to your email, cost consumers more than $48 million in 2018 and have scammed billions from businesses over the last five years, according to the FBI.
You can be a victim at home or at work when you don’t use encryption to secure your emails.
How encrypted email works
Email encryption works through the use of a public key and a private key. You, as the sender, hold the private key and only you determine who can use your public key. Anyone with the public key can open and read specific emails you designate. But they can’t access all your emails because each public key is different and used only for the emails you specify. Anyone who doesn’t have the public key for a specific email will only see gibberish.When you use your private key to ‘sign’ your email the receiver knows it was, in fact, sent by you and not an impersonator.
There are two key types of encryption that most email providers use. S/MIME enhanced encryption is the strongest method available for the most sensitive types of messages. This process is typically used for enterprise messaging systems. The second, Transport Layer Security (TLS) standard encryption, is usually fine for most messages and is used to exchange emails with email services that don’t support S/MIME.
All this really isn’t as hard as it sounds. According to PC World magazine, you should encrypt three things to fully secure your email: your actual email messages; any emails you store, cache or archive; and the connection with your email provider.
Check the connection with your email provider by looking for the ‘https’ address after you log in to your email program. If your provider supports that security feature, it will automatically encrypt your connection once the ‘https’ connects.
To encrypt stored emails that can be accessed offline in any way, you typically need to be sure your entire device is encrypted for the strongest security. Some email providers also offer options for encrypting offline email data files; those will vary according to the provider.
To send encrypted email messages, you need to follow instructions for your specific email provider. Below are the instructions for Gmail and Outlook.
How to send encrypted email by Gmail
In personal accounts, Gmail automatically encrypts your emails using TLS with PC and Android devices, which helps prevent others from reading your emails. Gmail can send and receive S/MIME messages, but only through G Suite Enterprise and G Suite Enterprise for Education accounts.
With Gmail, every email is automatically encrypted unless Gmail determines the recipient does not have the proper key to accept encryption. In those cases, a message will appear next to a recipient’s email address that says ‘No TLS’ followed by a small red lock.
To ensure you are sending an encrypted email, you simply need to confirm that none of the recipients are displaying this red lock next to their names. Follow these steps to confirm the email you are sending is encrypted for all recipients:
- Sign into your Gmail account.
- Click Compose to begin writing your email.
- Enter recipient email addresses.
- Check the addresses to see if a tiny red lock appears to the right of the recipient. If not, the email is secured by Gmail’s encryption process. If you see the red lock, the email is not secure and you should reconsider sending sensitive information to that person.
Note: This red lock does not appear on iPhones or iPads with Gmail. Instead, Gmail recommends users complete a specific Security Checkup for those devices.
How to send encrypted email by Outlook
Microsoft Outlook supports S/MIME encryption as standard. Outlook 365, part of the Office 365 subscription, automatically includes Office 365 Message Encryption but it is available only to subscribers.
To encrypt email messages in Outlook 365, open a new message. Go to Options and click Encrypt, then select the level of encryption you prefer under Set permission on this item.
To encrypt a single email message in Outlook 2019 and 2016, follow these steps:
- Open a new email message.
- Click File.
- Click Properties.
- Click Security Settings in the pop up window.
- Select Encrypt message contents and attachments.
- Click OK.
- Click Close.
- Enter recipients and type your email message, then send as you normally would.
Best practices to safely use email
When you use encryption to secure your email, it’s important to encrypt all the emails you send rather than just the ones you deem sensitive. That’s because hackers can see the markings left by encryption even if they can’t read the specific message, so the haphazard use of encryption actually highlights your important emails for a scammer so they know which ones to try and attack.
In a recent Mimecast report on email and data security, Josh Douglas, vice president of threat intelligence , stated email threats are very real and that scammers are always looking for new ways to bypass security settings. The report analyzed 67 billion suspicious emails and determined that scammers typically engage victims through email first, then move the conversation to text messaging, which is not as secure as email communications.
“We’ve observed malware-centric campaigns becoming more sophisticated, often using different types of malware in different phases of an attack—yet, at the same time very simple attacks are also increasing significantly,” he said in the report.
A proactive approach to email security can keep you from becoming a victim. Beyond encryption, here are additional tips to help ensure your emails stay as secure as possible.
- Only open attachments you can verify. Even if a friend sends you an attachment in an email, if you weren’t expecting it don’t open it until you have confirmed that your friend actually sent it.
- Never click links in an unsolicited email. Criminals can make emails look like they originate from official businesses, then trick you into clicking on a fake site’s URL to garner information from you. Always confirm the source first.
- Confirm the origin of emails you receive. Use a reverse email search service to help check suspicious communications.
- Never put personal information into an email. Emails can be viewed, changed and forwarded, so keep your sensitive information limited.
- Keep your operating system, antivirus, and email program up to date. You’ll receive the latest security updates this way, which can help reduce security problems.
The bottom line: use encryption any time you send sensitive or confidential information over email. Scammers are continuously active, so it’s up to you to block them whenever you can.