E-mail information security

Using e-mail involves certain challenges. Here are a few tips and tricks for using e-mail safely and encrypting confidential messages.

A large share of e-mail is spam, such as mass marketing messages. In addition to viruses, spam may include contents that are not suitable for children. E-mail can also be used for anonymous bullying or harassment.

Safe use of e-mail

  • If the subject of the e-mail seems suspicious, do not open the message. E-mail messages from people you know may also contain viruses.
  • Be suspicious of messages that are written in a language the sender would not normally use. If necessary, check the origin of the message from its sender.
  • Do not open suspicious e-mail attachments. The file name extensions .COM, .EXE, .SHS, .PIF and .VBS are particularly common to malware spread through e-mail. File names may also have two extensions, such as picture.jpg.VBS or text.rtf.EXE.
  • Make sure your e-mail program shows file name extensions, because otherwise you will only see the harmless-looking file names "picture.jpg" and "text.rtf".
  • If your e-mail program has a preview functionality, configure its security settings so that the preview will not display links to external pictures.
  • Avoid messages that contain HTML or rich text. The recipient may be unable to view them correctly and your message may not be conveyed as intended.
  • Set your e-mail program to use plain text.
  • When you reply to an e-mail message, only copy the necessary parts of the original message.

Use a secure connection

Use a secure connection in your e-mail program in accordance with your service provider's instructions. Configuring the e-mail programme to use a secure connection requires you to change the connection settings. The secure connection protects the connection between your computer and the mail server from eavesdropping.

Encrypt confidential messages

E-mail messages that contain confidential information should be encrypted when necessary.

You can encrypt an e-mail message using a separate encryption method. You and the recipient have to agree on the encryption method. In most cases, the recipient has to use the same encryption program for decrypting the message or know the encryption password.

There is a range of commercial software for encrypting a message, such as PGP (Pretty Good Privacy). You can also send your message as a password-protected attachment. The recipient's e-mail address cannot be encrypted because it is used for transmitting the message to the recipient.

Digital signature

With digital signatures we can ensure that a message remains unchanged and verify the identity of the signatory. The sender of a message signs the message with a private key, and the recipient can verify the sender's identity with the sender's public key.

There are several commercial software solutions for signing e-mail messages. One of the most commonly used software is PGP (Pretty Good Privacy) that is based on public-key cryptography.
PGP does not guarantee a connection between a sender and the sender's public key. Therefore, it is possible that the public key available to the recipient does not belong to the sender but to a third party. One solution to this problem lies in the identity certificates used in public-key infrastructures (PKI). The certificates reliably bind public keys to user identities.

Protection against phishing attacks

Phishing means an attempt to illegally acquire information that can be exploited for financial gain. Such information includes, for example, online bank log-in details, credit card numbers and personal details. Typically, a user receives an e-mail luring him or her to a website asking for personal information. Phishing e-mails are often made to look like customer service messages from financial institutions or other organisations.

A website may look like the website of a financial institution, but may in reality be a fake website that gives criminals access to all the information entered on the site.

Keep in mind the following:

  • Financial institutions never send their customers e-mail requesting bank identifiers, credit card numbers or other confidential information.
  • Do not trust the contents of the "From" field of an e-mail message. The sender's address in the field can easily be forged to look like, for example, customerservice@yourbank.fi.
  • Never trust links included in HTML messages or websites to take you to the website expressed in the link.

Key words: Information security , Internet , Data protection , Encryption

Updated 09.11.2017

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

P.O. Box 313, FI-00561 HELSINKI

Dynamicum, Erik Palménin aukio 1, 00560 HELSINKI

Media contacts by telephone +358 295 390 248