Email sensitive documents - security

Danielmc1

Hi all, I’m new on these forums.

My partner and I are in the process of apply for our first mortgage via a certain well known broker. As expected, I’m being asked by several parties for sensitive documents - bank statements, account details, passport, drivers license etc etc.

Now the universal advice, repeated everywhere you read, is always to stay safe and secure online and never send any sensitive documents unencrypted via email. It stands to reason, and seems very obvious to me and assumed the financial industry would be well versed on this and have secure transfer methods in place.

It seems I was wrong.

I’m constantly being pushed to send all these documents as standard PDF files over email. Without even thinking about it, I used 7zip to group multiple files together, set a password and sent a Dropbox link to the broker with a note about obtaining the password with me over the phone. They came back to me and said their systems block access to Dropbox links. So I emailed him the encrypted file. He again got back to me saying he didn’t know how to open the file as he didn’t have the right program, requesting again that I just send all my documents unencrypted over email. I’ve also had similar experiences from the estate agent and conveyancer.

I’m shocked that this seems to be the norm and that the people I’m dealing with seem not only absolutely oblivious to any security risks, but completely unversed in simple everyday use of compressed archives.

What are your experiences out there? Am I just dealing with inexperienced or sub standard businesses or is this the norm out there? I’m under pressure from my partner to “stop being difficult, and just send everything the normal way, as a pdf” and feeling similar pressure from these businesses.

Any advice would be much appreciated!

Daniel

jamesperrett

House purchase documents certainly do end up in the wrong hands if people are careless with emails. I've received someone else's house purchase documents in the past thanks to a solicitor's mistake. If you haven't committed to this broker than I would suggest that you investigate alternatives.

Tom99

Can you encrypt the pdf file then just phone him the password using something like this

https://smallpdf.com/protect-pdf

He does not need a program to open the file only the password

amnblog

We provide an online service and issue our Clients with a secure upload link for sensitive documents. We tell them NOT to email documents.

If someone sends an email attaching perhaps a passport, a credit card bill, and a credit file, that is asking for trouble should it go astray.

You say you are dealing with a well known broker. It surprises me that they do not have a secure system.

The Lenders tend to use secure email systems when communicating with brokers.

dunstonh

Most brokers/advisers have the ability to use encrypted email services. However, I find most consumers are not that bothered about it. So, we offer it but the take up is low.

via a certain well known broker.

If they are an online broker then there is no excuse. They should have upload facilities into encrypted systems. Also, if its a larger broker with a factory line service, then you are generally looking at lower quality staff or newly trained staff tied into fixed systems that lack flexibility (big generalisation I know but broadly the case).

Perhaps you may have been better to use a small local firm than an inflexible large one.

davidmcn

I would say in practice the majority of stuff ends up unencrypted (almost all correspondence between solicitors goes as plain email with unencrypted attachments) but as mentioned above, banks etc are fond of using secure systems so I would expect everyone to be capable of unzipping encrypted files.

ACG

A lot of this will change in the next 2-3 months with GDPR coming in.

Currently I still work with emailed documents, but I am having a system developed which will allow customers to log in and upload documents etc. Hopefully that will be up and running in the next 2 weeks.

It is surprising at how relaxed everything is currently and it is surprising larger firms can not click on drop box links or open zip files. Although I know when I worked for a bank, zip files were blocked as they were the most likely to contain viruses.

Danielmc1

Thank you all for your replies, it!!!8217;s been interesting reading and very helpful.

Another member of staff have got back to me from the broker in question and although they can!!!8217;t access cloud storage links, he was able to open the encrypted file I sent as an attachment using the password I have over the phone. He apologised and said that his colleague wasn!!!8217;t very IT literate. Rather worrying I think, considering the industry he is working in and the nature of documents he processes - a little odd in general though in this day & age I think...

So I think we!!!8217;ve found a workflow they are happy with, but will certainly look into the password protected PDF!!!8217;s you suggested, Tom99. I guess this would guarantee their security further - as at the moment, once my encrypted archive is opened I suppose anyone can then copy and paste the files outside that archive rendering them unprotected again...

Tom99

Danielmc1 wrote: »

So I think we've found a workflow they are happy with, but will certainly look into the password protected PDF's you suggested, Tom99. I guess this would guarantee their security further - as at the moment, once my encrypted archive is opened I suppose anyone can then copy and paste the files outside that archive rendering them unprotected again...

[FONT=Verdana, sans-serif]The website I referred you to says it would take thousands of years to crack the password with a normal computer because they thoroughly encrypt the file.[/FONT]
[FONT=Verdana, sans-serif]Of course you only have their word for that but its got to be better than nothing. [/FONT]

unforeseen

ACG wrote: »

A lot of this will change in the next 2-3 months with GDPR coming in.

Currently I still work with emailed documents, but I am having a system developed which will allow customers to log in and upload documents etc. Hopefully that will be up and running in the next 2 weeks.

It is surprising at how relaxed everything is currently and it is surprising larger firms can not click on drop box links or open zip files. Although I know when I worked for a bank, zip files were blocked as they were the most likely to contain viruses.

You will find that lots of companies block access to places such as Dropbox and the like.

Also a lot of commercial email systems will reject encrypted emails because of the inability of their anti virus systems to scan them successfully.


Encryption is a two edged sword. It may enable you to transfer your documents securely but it can also enable malware to bypass the gateway antivirus protection..

georou

I have just arranged to open a savings account with one of the banks who asked me to send a copy of my driving licence and concil tax bill by email (gmail).  I did so as recommended.....taking a photo and emailing.   I never thought much about it until my son said I should never send emails with sensitive information.  I rang the bank and they said it shouldnt be a problem.....and they actually emailed back my sort code and customer number.
I am very distressed after reading some of the comments here.
Should I cancel all proceedings with this bank......