It isn’t safe to email banking information without additional encryption. You should never email any sensitive personal information without additional encryption.
Hi, I’m Aaron, an information security professional with almost two decades of experience keeping people and their information safe online. I use email for a lot of things–sending sensitive data included–but I do so safely and securely.
In this article, I’ll explain why it’s a terrible idea to email sensitive information unencrypted, what you can do to make that more secure, and alternatives for transmitting that data.
Table of Contents
- Key Takeaways
- Why it’s a Bad Idea to Email Sensitive Information Unencrypted
- How do I Not Email in Clear Text?
- Think About Why You’re Sharing Information
- Emails aren’t encrypted, they’re just addressed to someone.
- If you send information unencrypted and the email is opened by someone who’s not the intended recipient, then the person reading the email will have your information.
- There are numerous options to send information securely.
- Always evaluate why you need to send sensitive information and how to do it before you do.
Why it’s a Bad Idea to Email Sensitive Information Unencrypted
As a foundational matter, let’s discuss how email works, which will highlight why it’s a bad idea to email sensitive information, like banking information.
When you type an email, it’s typed in human readable text, or clear text. That makes sense, how else would you know what you’re typing?
You then hit the Send button and your email provider typically wraps that clear text email in a form of encryption called Transport Layer Security (TLS) encryption. That kind of encryption uses a certificate to create a validated and secure connection. However the email itself is never encrypted–it’s always stored in clear text.
There are a number of ways to initiate what’s called a Man In The Middle Attack impacting TLS encryption. A Man In The Middle Attack is where someone poses as a legitimate recipient of internet traffic, records that information, and then passes the communication through. To the end-users, this can look like a reputable connection.
There are even a number of legitimate services that do this. If you work for a large corporation, for example, it’s highly likely that they decrypt all TLS encryption at their perimeter firewalls to evaluate whether or not their sensitive data is being sent elsewhere. It’s a core piece of most Data Loss Prevention (DLP) solutions.
So when you email something, it’s highly likely that someone who isn’t the direct recipient can access the text of your email. If you email sensitive personal information, like your banking information, then whoever can access the email can read that information. If you care about the privacy of that information, you don’t want to email that in clear text.
How do I Not Email in Clear Text?
There are a couple of ways to transmit sensitive information that isn’t in clear text. They can add complexity to what you’re trying to do. Whether or not you believe that added complexity is valuable is up to you based on the kind of data you’re sending and the risks of that information being misused.
Does Your Recipient Have a Web Portal or App?
If you’re being asked to transmit sensitive information and you trust your recipient enough to send the information, ask them if they have a secure web portal or web app to upload the information.
Can Your Recipient Provide Secure Email?
If your recipient doesn’t have a secure web portal or web app for intaking sensitive information, they may have a secure email platform like Proofpoint, Mimecast, or Zix. Those secure platforms use an encrypted server to store data and then sends links to the information via email. Those links require setting up a username and password to the server associated with your email address.
If Not, Then You May Need to Zip It
If your recipient can’t guarantee secure transmission, you may need to take matters into your own hands. The easiest way for you to do this is to use a program like WinRAR or 7zip to zip the file and password protect it.
To do that, download and install your zipping program of choice. I’m using 7zip.
Step 1: Right click on the file you want to zip. Left click on the 7-zip menu.
Step 2: Left Click on Add to Archive.
Step 3: Enter a password and click OK.
Think About Why You’re Sharing Information
In the normal course of daily life, you shouldn’t need to share your banking information or similarly sensitive data. Sometimes, extenuating circumstances may drive sharing that information.
If you’re being asked to share that kind of information, evaluate the circumstances around sharing that. Are you talking to a trusted source with whom you should be sharing that data? Or are you responding to an “emergency” where you’re being pressured into quickly providing your information?
Trust your instincts: if you worry about sharing sensitive information, then you shouldn’t share sensitive information.
Any legitimate organization that is legitimately asking for information will work with you to accommodate a secure transfer of that information. Anyone who refuses to help you validate their need for your information and help you transfer it securely is likely illegitimate.
Let’s review some common questions about sharing sensitive information online.
Is it Safe to Send Banking Information by Text?
No. No one will legitimately ask you for your banking information by text. Additionally, while cellular carriers provide encrypted cellular connections, it’s possible to intercept information and all information is sent via clear text (similar to email).
Is it Safe to Send Banking Information by WhatsApp?
No. No one will legitimately ask you for your banking information via WhatsApp. That being said, WhatsApp has point-to-point encryption, so if you do send your information (which you shouldn’t) then it’s unlikely that someone else can review that information.
Is it Safe to Send Banking Information by Messenger?
No. No one will legitimately ask you for your banking information via Messenger. Even though Messenger provides encrypted transmission, Meta built its business around selling its users’ information. Its business practices should make users seriously question any sense of privacy when using any services on the Meta platform.
It is not secure to send banking information via email. If you feel that you must, please take steps to validate that the request is legitimate and to secure the information so that it isn’t lost or stolen.
What other steps do you take to secure information you send by email? Let us know in the comments!