Abstract
Emails were not designed with cyber-attack protection in mind, making them an attractive target for cybercriminals. A primary attack vector is phishing, a type of social engineering in which a fraudulent message is sent to trick a person. however, email messages can be secured using cryptography. For example, end-to-end encryption could protect them in transit and at rest. In addition, transport Layer Security is used to protect emails in transit between email servers and clients. Nevertheless, emails may never be as secure as newly designed solutions with solid end-to-end encryption and robust architecture.
You have full access to this open access chapter, Download chapter PDF
1 Introduction
In 2020, approximately 306 billion emails were sent and received daily, and this number is expected to rise to over 376 billion by 2025. A standard attack vector is phishing, a type of social engineering where a fraudulent message is sent to trick a person. Emails were not designed with cyber-attack protection in mind, making them an attractive target for cybercriminals. 83% of companies have been attacked by phishing, according to a study conducted in 2021. End-to-end encryption (E2EE) or transport layer security (TLS) can be used to secure emails. E2EE standards include Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Exchange (S/MIME). The use of E2EE in email is still rare; many emails are sent an as plain, unencrypted text. Nevertheless, the market for encrypted email revenue has tripled from $0.5 billion to $1.5 billion from 2015 to 2020. Technical developments in email security include cloud-based email services, artificial intelligence, blockchain, multi-factor authentication, and security extensions.
2 Analysis
Ray Tomlinson sent the first email in 1971 [1]. Since then, the number of email users has steadily increased. In 2020, approximately 306 billion emails were sent and received worldwide every day, and this number is expected to increase to over 376 billion by 2025 [2]. A primary attack vector is phishing, a type of social engineering in which a fraudulent message is sent to trick a person. In addition, emails were not designed with the protection against cyber-attacks in mind [3], making them an attractive target for cybercriminals. According to a study conducted in 2021, 83% of companies have been attacked by phishing [4], a widely used technique to steal personal information from users, such as via email [5]. Based on surveys of companies in the United States, the United Kingdom, France, Germany, and Australia [6], this represents a 46% increase from 2020. Phishing is not the only form of cybercrime, but it is the most widespread and is expected to remain a significant problem in the future. As a result, it is even more critical to ensure information security, especially its authenticity, in emails [7].
2.1 Definition
Email is usually used to refer to one of the following: (1) a means or system for transmitting messages between computers on a network or (2) a message sent and received electronically through an email system. Here, we focus on securing the messages rather than the email system. Email messages can be secured using cryptography. For example, end-to-end encryption (E2EE) could be used to protect them in transit and at rest. In addition, transport Layer Security (TLS) [8] is used to protect emails in transit between email servers and clients. TLS uses a combination of asymmetric (see Chap. 3) and symmetric cryptography (see Chap. 2). Common standards used for E2EE email encryption are:
-
Pretty Good Privacy (PGP): One of the most widely used standards [9] is OpenPGP, which provides message encryption and digital signatures as security services (see Chap. 15). OpenPGP encryption software is an open standard that employs a combination of asymmetric (see Chap. 3) and symmetric encryption (see Chap. 2) [10].
-
Secure/Multipurpose Internet Mail Exchange (S/MIME): Another widely used standard is S/MIME, which is also based on asymmetric and symmetric encryption. The system provides authentication, message integrity (i.e., the message was not modified during transmission), non-repudiation of origin (using digital signatures), and data confidentiality (using encryption). The certification process to verify the signatures is carried out by certified authorities [11].
2.2 Trends
End-to-end email encryption today is a rare, partial, and often perceived impractical solution. So most emails are sent as plain, easy-to-read, unencrypted text [3, 12]. Nevertheless, over 2015–2020, encrypted email revenue tripled from $0.5 billion to $1.5 billion [13]. Several factors drive growth, including an increase in fraud (particularly phishing), an increase in email users, a high demand for cloud-based encryption services, and regulations requiring privacy compliance.
Technical Development
There are a variety of technical developments that apply to email security. Cloud-based email services, including cost-effectiveness and scalability. In addition, security is included as part of the cloud service and does not require in-house development, implementation, and maintenance [14, 15]. Artificial Intelligence can detect various types of attacks. Furthermore, a blockchain eliminates the need for trusted intermediaries and keeps track of all previous transactions (see Chap. 25). Multi-factor authentication adds additional layers of security, making it harder for attackers to steal a person’s identity (see Chap. 29). Finally, extensions such as Pleask Email Security or Virtru can help users against attacks.
Risks
Risks are in a continuous development phase. Phishing via email is a standard method of phishing, which is becoming dangerous as phishing as a service (PhaaS) is becoming increasingly prevalent. Using PhaaS, cybercriminals assist others in conducting phishing attacks for a fee. This provides cybercriminals with a new source of revenue and permits anyone, regardless of their level of expertise, to conduct more professional attacks. PhaaS increases the number of phishing attempts while also increasing the likelihood that attacks will be effective [16]. With the rise of offensive artificial intelligence, organizations must adopt new defenses that circumvent conventional rule-based detection software [17].
3 Consequences for Switzerland
In 2021, Switzerland reported twice as many cyber incidents as the previous year. The most frequent reports [18] came from emails sent by perpetrators masquerading as law enforcement agencies. In recent years, more and more Swiss providers have entered the market with solutions that enable automated email encryption and signing, as email remains the most common means of communication in the public and private sectors. For example, IncaMail (Swiss Post) [19], HIN Mail (Health Info Net AG) [20], and SEPPmail (SEPPmail AG) [21] offer an integrated, comprehensive solution for their clients. The Federal Department of Justice and Police (FDJP) has recognized these solutions as secure delivery platforms in the context of proceedings. Therefore, these solutions can be utilized following the “ordinance concerning electronic communication in civil and criminal proceedings, as well as school proceedings and competitions” [22, 23]. Lawyers, for example, may receive court submissions or send court decisions in compliance with the law (see Chap. 37).
In Switzerland, email security is also actively researched, although more as part of fundamental research in cyber security (see Chap. 37). Protonmail is also a remarkable Swiss success story in email security. Indeed this company brings a service like no other to the table [24].
3.1 Implementation possibilities: Make or Buy
A secure email security solution should include strong encryption and address network vulnerabilities when purchased or built. Various solutions have now been established on the market, including SEPPmail [21], IncaMail [19], and HIN [20], which meet the legal requirements of the federal government and can be considered to be easy to use [25]. These solutions may also be used to exchange messages securely with communication partners that are not themselves subscribers to those solutions.
4 Conclusion
According to trends, email security is moving towards scalable, faster, safer, and more convenient solutions. As a result, system offerings that provide end-to-end encryption and are more user-friendly are taking up an increasing amount of the market. Since the email system was originally not designed to be secure, considerable effort had to be made to ensure the security of emails. Nevertheless, emails may never be as secure as newly designed solutions with solid end-to-end encryption and robust architecture (see Chap. 37).
References
Die E-Mail ein Auslaufmodell? March 2016. SRF News.
S Dixon. Number of e-mail users worldwide 2017-2025. Technical report, August 2022. Statista.
Scott Ruoti and Kent Seamons. Johnny’s Journey Toward Usable Secure Email. IEEE Security & Privacy, 17(6):72–76, November 2019.
proofpoint. 2022 State of the Phish. Technical report, 2022.
NIST Computer Security Resource Center. phishing. https://csrc.nist.gov/glossary/term/phishing, August 2022. Information Technology Laboratory.
Gretel Egan. 2022 State of the Phish Report Explores Increasingly Active Threat Landscape, Importance of People-Centric Security. https://www.proofpoint.com/us/blog/security-awareness-training/2022-state-phish-explores-increasingly-active-threat-landscape, August 2022.
Adam Pilkey. Phishing is here to stay. https://blog.f-secure.com/phishing-is-here-to-stay/, August 2022. F-Secure.
NIST. Transport Layer Security (TLS). https://csrc.nist.gov/glossary/term/transport_layer_security, August 2022. Computer Security Resource Center (CSRC).
OpenPGP.
International Electrotechnical Commission. Pretty Good Privacy (PGP). https://std.iec.ch/ terms/terms.nsf/3385f156e728849bc1256e8c00278ad2/39b4bbf83979035ac12574ab003677 a1?OpenDocument, August 2022.
Internet Engineering Task Force and (IETF). Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification. https://datatracker.ietf.org/doc/html/rfc5751, January 2010.
Geoff Duncan. Here’s why your email is insecure and likely to stay that way. https://www.digitaltrends.com/computing/can-email-ever-be-secure/, August 2013. digitaltrends.
Global e-mail encryption market 2015-2020. https://www.statista.com/statistics/535009/worldwide-email-encryption-market-revenue/. Statista.
Raktim Dey, Sandip Roy, Rajesh Bose, and Debabrata Sarddar. ASSESSING COMMERCIAL VIABILITY OF MIGRATING ON-PREMISE MAILING INFRASTRUCTURE TO CLOUD. International Journal of Grid and Distributed Computing, 14:1–10, March 2021.
Justina Alexandra Sava. Cloud-based email security market size worldwide in 2020 and 2026. Technical report, July 2022. Statista.
Jonathan Weinberg. The rise of phishing as a service (PhaaS) and how to tackle it. https://www.itpro.co.uk/security/cyber-security/368284/what-is-phishing-as-a-service-phaas, June 2022.
MIT Technology Review. Preparing for AI-enabled cyberattacks. https://www.technologyreview.com/2021/04/08/1021696/preparing-for-ai-enabled-cyberattacks/.
Nationales Zentrum für Cybersicherheit NCSC. Halbjahresbericht 2021/II (Juli – Dezember). Technical report.
Die Schweizerische Post. IncaMail – sending sensitive information. https://www.post.ch/en/business-solutions/e-mail-encryption, August 2022. Swiss Post.
Health Info Net AG (HIN). HIN Mail: So versenden Sie sichere E-Mails. https://www.hin.ch/services/hin-mail/, April 2020.
SEPPmail AG. SEPPmail - Secure E-Mail Communication. https://www.seppmail.com/, August 2022.
Philipp Bachmann. Sichere E-Mail-Kommunikation im E-Government. October 2021.
Verordnung über die elektronische Übermittlung im Rahmen von Zivil- und Strafprozessen sowie von Schuldbetreibungs- und Konkursverfahren. https://www.fedlex.admin.ch/eli/cc/2010/413/de, January 2011.
Professor Kumkum Saxena, Dev Rajdev, Divesh Bhatia, and Manav Bahl. ProtonMail: Advance Encryption and Security. In 2021 International Conference on Communication information and Computing Technology (ICCICT), pages 1–6, June 2021.
Stefan Klein. SEPPmail – Nummer 1 für die sichere E-Mail-Kommunikation. September 2021. Computerworld.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this chapter
Cite this chapter
Nunes, E. (2023). Email Security. In: Mulder, V., Mermoud, A., Lenders, V., Tellenbach, B. (eds) Trends in Data Protection and Encryption Technologies . Springer, Cham. https://doi.org/10.1007/978-3-031-33386-6_36
Download citation
DOI: https://doi.org/10.1007/978-3-031-33386-6_36
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33385-9
Online ISBN: 978-3-031-33386-6
eBook Packages: Computer ScienceComputer Science (R0)