Since its creation, e-mail has established itself as a fast and simple means of communication which makes it possible to send quickly not only pure text, but also small files, such as text documents or images …
Even if now several cloud services are at our disposal for data exchange, e-mail is still often the first choice when it comes to sending fast files such as documents to one or more recipients. of text or images. What may seem useful in private life could cause problems in email marketing or in email communication with customers, especially with email transactions which often contain sensitive data and which customers urgently expect. Below are the related challenges and possible consequences:
Attachments as an entry point for malware
Attachments are often used as a gateway for malware. If a cyber criminal is phishing, they will want to give the impression that the messages come from a reputable source. Depending on the type of phishing, it can be the supervisor, a financial service provider, or an insurance company. This increases the likelihood and danger of these attachments being opened.
Typically, these attachments are manipulated so that they exploit security vulnerabilities in the application (for example, the PDF viewer), the email client, or the operating system to infect the recipient’s computer. Once under the control of the criminal, the infected computer can go unnoticed and become part of a network of “bots” (interactive robotic systems) and send spam or participate in DDoS attacks (DistributedDenial of Service – Attack by denial of service).
In this way, a criminal can also have access to all of the data on the email recipient’s computer. Because of these serious risks, email service providers and spam filters check attachments very carefully. As a result, the deliverability of these emails may be adversely affected.
Mail clients sometimes prevent or prevent the loading and execution of attachments. As a result, recipients would not receive these emails or be unable to read the attachments.
Lack of encryption means lack of data protection
All the servers of
Internet Mail Do Not Support STARTTLS As Encryption
transport. This procedure to initiate encryption of a communication to
Transport Layer Security Help is used to send, transfer or
receive encrypted emails securely. Without STARTTLS, the content of
the email and related attachments can be read by third parties.
Even with STARTTLS, there is still a risk of a man-in-the-middle (MITM) attack that can intercept emails. A higher level of security can only be achieved by additional protocols such as DANE and DNSSEC. However, these are not yet established on the market. In addition, there is the risk that the recipient may, without knowing it, recover their unencrypted e-mails from the mailbox on an insecure network.
Often, emails or attachments contain sensitive information, such as payment information, insurance or health data, which should not be read by unauthorized persons. As a sender, therefore, you need to think about what information to send by email and what damage can be caused if that information falls into the wrong hands. The sender will be held responsible if the personal data is publicly disclosed.
In this case, the provisions of articles 32 and following of the GDPR apply. The supervisory authorities and the person concerned must be informed of the security leak. The authorities can then impose sanctions on the sender, see article 58 DS-GVO.
According to experts at the CertifiedSenders Alliance (CSA), attachments should therefore be avoided in the business environment. A better alternative to attachments is a deeplink link to download them from your own customer portal. The customer can view or download the documents assigned to him via a connection secured by TLS.
It also allows the user to manage their documents centrally without having to search for individual attachments in their overloaded email client. Regular connection to the portal also creates additional customer loyalty and the ability to advertise other offers.
The CertifiedSenders Alliance CSA is a joint project of the ecoe.V. and the German Marketing Dialogue Association DDV (Deutsche Dialog Marketing Association. Up-to-date information on CSA work, CSA certification, and current technical and legal aspects of email marketing can be found at https: //certified-senders.org/de/.