Emailing sensitive documents: Is it worth sending encrypted?

colin79666

I work for a company that requests this kind of information. What we do is send the customer a link to a website where they can securely upload the documents and "email" it back to us. That way we provide the customer with a simple means of avoiding emailing copies of their documents in the clear.

If we are exchanging a lot of email with a particular domain (e.g. customerdomain.co.uk) then we speak to their IT department and see if we can enforce TLS encryption. Failing that we can fall back to the method outlined above.

Your mortgage broker should be doing the same, in this day and age they really ought not to be asking for customers to send documents in an insecure manor, even if the risk of interception is small.

Zip password protection is next to useless if you use the standard method. Provided you use AES 256bit which both 7-Zip (free) and WinZip supports then this is as good as any other method. Just use a good password and communicate it by another channel (text message or phone call). If their system blocks Zip you can usually get around it by renaming the file to example.abc and getting them to change it back to example.zip once they have downloaded the attachment.

paddyrg

But yes, OP, email by default is completely insecure and hops from server to server via a path you don't control or predict upfront, and can very easily be archived along the way.

However you can mitigate somewhat if you are sending from (say) gmail to gmail as the gmail web client is all https, their internal network is not public facing, and if the other person uses the gmail web client then only three world's biggest ad broker and security agencies will be reading your mail.

mattb5906

Thanks all for your input. Good information.
In the end I sent the documents in bulk as encrypted PDFs. I've been told that if the broker has to send information on, it is sent via a secured web service controled by the 3rd party (e.g. the bank) or sent by snail mail.