Since its inception, email has established itself as a fast and simple means of communication that allows not only to quickly send pure text, but also small files, such as text documents or images …
Although many cloud services are now available for us to exchange data, email is still often the first choice when it comes to sending quick files like documents to one or more recipients, text or images. What may seem privacy advantageous can cause problems in email marketing or email communication with customers, especially with email transactions that often contain sensitive data that customers urgently expect. Below are the relevant challenges and potential consequences:
Attachments as an entry point for malware
Attachments often act as a gateway to malware. If a cybercriminal is phishing, they will want to make the messages appear to come from a trusted source. Depending on the type of phishing, it could be your supervisor, your financial service provider, or your insurance company. This increases the likelihood and risk of opening these attachments.
These attachments are usually tampered with in a way that exploits vulnerabilities in the application (for example, a PDF viewer), the email client, or the operating system to infect the recipient’s computer. Once under the control of the criminal, an infected computer can go unnoticed and become part of a network of “bots” (interactive robotic systems) and send spam or participate in DDoS (Distributed Denial of Service) attacks. service).
This way, the criminal can also access all the data on the email recipient’s computer. Due to these serious risks, email service providers and spam filters scan attachments very carefully. Therefore, the deliverability of these emails may be adversely affected.
Sometimes email programs block attachments or prevent them from loading and running. Therefore, the recipients will not receive these emails and will not be able to read the attachments.
No encryption means no data protection
Not all mail servers on the Internet support STARTTLS as transport encryption. This procedure is used to initiate encrypting a communication using Transport Layer Security to securely send, forward, or receive encrypted e-mail. Without STARTTLS, email content and corresponding attachments can be read by third parties.
Even with STARTTLS, there is still the risk of a man-in-the-middle (MITM) attack that can intercept emails. A higher level of security can only be achieved with additional protocols such as DANE and DNSSEC. However, these are not established in the market yet. In addition, there is a risk that the recipient may inadvertently retrieve unencrypted emails from the mailbox in an unsecured network.
Emails or attachments often contain sensitive information, such as payment information, insurance or health data, that unauthorized people should not read. As the sender, you need to think about what information to send via email and the harm that can happen if that information falls into the wrong hands. The sender will be liable if personal data is disclosed publicly.
In this case, the provisions of Articles 32 et seq. of the General Data Protection Regulation (GDPR) shall apply. The security leak must be reported to the regulators and the data subject. The authorities can then impose penalties on the sender, see Article 58 DS-GVO.
According to experts from the CertifiedSenders Alliance (CSA), attachments should be avoided in the commercial environment. A better alternative to attachments is a deep link to download them from a private customer portal. The customer can refer to or download the documents assigned to him over a TLS-secured connection.
It also allows the user to manage their documents centrally without having to search for individual attachments in the overburdened email client. Regular login to the portal also creates additional customer loyalty and an opportunity to advertise other offers.
The CertifiedSenders Alliance CSA is a joint venture of the e-commerce association ecoe.V. and the Deutsche Dialog Marketing Association (DDV). The latest information on CSA work, CSA certification, and current technical and legal aspects of email marketing can be found at https://certified-senders.org/de/.