Secure handling of email

Phishing mails, scam mails, malware mails: Stay alert!

Things to know

No confidentiality

In terms of discretion, confidentiality, and security, an email is like a postcard. As with the postcard, anyone with access to the "mail path" between you and the target mailbox can potentially read emails received or sent.

Therefore, confidential data should never be included in an email that is not explicitly secured.

Malware in emails

Malware emails are emails with attachments that contain malware. Malware is often hidden in Zip, PDF, or DOC files.

Phishing: password theft

These emails almost look like messages from ETH or other trusted partners. However, links contained in the email lead to a plagiarism of the original website, where an attempt is made to steal your login data.

Scam or fraudulent emails: fraud

With such emails, attackers try to gain a financial advantage.

The victim receives an email, allegedly from a superior or a VIP. In the email, the victim is asked to deal with an "emergency", an exceptional situation, urgently and, for example, to transfer certain amounts quickly, to grant access rights or to provide information.

Due to the pressure built up by the supposed superior, the victims often fail to critically question the order, whether the sender's address is correct, and the order is plausible.

Mail spoofing: fake sender addresses

It is not difficult to fake sender addresses of emails in order to then - supposedly in the name of the faked sender - start fraud attempts. Be it via scam mails or phishing, or by sending attachments with malicious software. Sometimes the fake sender addresses look deceptively real.  

When encrypting emails, a distinction must be made between two procedures:

Opportunistic transport encryption

Opportunistic transport encryption takes place automatically without user's intervention and encrypts emails during transport between two mail servers, provided that both - sender and recipient - sides support this feature.

Transport encryption is very common. However, in most cases users cannot know whether transport encryption is really used. Even if this is known in exceptional cases, there is still the limitation that although emails are encrypted during transport, they are stored unencrypted on the email servers of sender and recipient.

End-to-end encryption

End-to-end encryption takes place in the user's email program, making use of the recipient's public key. Only the recipient can decrypt the email with his or her private key.

Nobody can read the those emails during transport or when they are stored on the email servers.

Digital certificates

A digital certificate is comparable to an ID card, for example a company ID card or a membership card for a sports club. There are also digital certificates that can be used for legally binding transactions due to their higher security level.

Digital certificates can be issued for the identification of users, but also for the identification of servers, end devices or software. Email certificates relate exclusively to user certificates.

Structure of digital certificates

Basically, a digital certificate provides information about an identity. This information is verified and formally confirmed by the issuer before the certificate is issued. The different security levels of certificates also mean different formalities are required for the initial verification of the applicant's identity. The higher the security level of a certificate, the more extensive the possible areas of use.

Each digital certificate consists of public, as well as secret, information. The public part contains all information that must be accessible to third parties to verify the identity of a user, such as the email address, name of the owner and expiry date of the certificate. The private key associated with each certificate is secret.

Securing email traffic with digital certificates

The exchange of emails can be secured using email certificates. These digital user certificates can be used in a similar way to a seal to verify the sender or originator of an email. In the case of an email that has been signed with a valid certificate, the recipients can be sure that it was sent by the owner of the certificate and that its content was delivered unchanged. What's more, the certificates can also be used to encrypt the transport and filing of emails.

The two essential security functions of email certificates are:

Digital signing

The email is "sealed". A valid digital signature is comparable to an unbroken seal.

  • The sender is the owner of the certificate, the mail is therefore real.
  • The content of the email has been delivered unchanged to the recipient's mailbox, it is therefore unaltered.

Signed emails contribute significantly towards providing protection against phishing and fraud emails, especially if emails are routinely signed and recipients pay attention to the signatures. Because they are then alerted when they receive an unsigned email, supposedly from their superior, asking them to urgently buy vouchers from an online store or trigger other financial transactions, by-passing all the usual processes.

End-to-end encryption

If the sending and receiving sides have email certificates and have exchanged the public keys of their certificates, they can encrypt their email traffic. Emails secured in this way can only be read with the help of the private keys of the parties involved. If the private keys are stored securely, it is practically impossible for such emails to be read by unauthorised persons.

Manage email certificates securely

Similar to seals or identity cards, the private keys of the certificates must not fall into unauthorised hands or get lost. They need to be managed safely. IT Services offer a service for obtaining and securely managing email certificates (Public Key Infrastructure, PKI). The offer includes personal certificates and certificates for group mailboxes.

Send emails securely

  • Check the recipient list before clicking the send button.
  • Be aware: After sending, you have no control over your emails. You don't know if they are copied and/or forwarded.
  • If you have several recipients, use the address field "BCC" (English for Blind Carbon Copy) instead of "CC" if you do not want the remaining recipient addresses to be visible to everyone.
  • Do not forward chain mails.