Email Security – the risk of typos

We all make typos – nearly everyone suffers from the effects of fingers and brains going out of sync – and it is why the most important tool in any word processing package (including blog editing tools) is the spell checker. For most document purposes this is not a big deal but when it comes to typing in an email address it can be critical.

Sadly, this is also a time where the spell checker either doesnt exist or often works against us.

Today, the BBC reported some of the findings from security researchers who had registered “typo” error domain names and checked what email was sent to them:

By creating web domains that contained commonly mistyped names, the investigators received emails that would otherwise not be delivered.

Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages.

Some of the intercepted correspondence contained user names, passwords, and details of corporate networks.

From the article, it seems that they concentrated on a common typo where people miss out one of many periods in an email address so that [email protected] is typed exampl[email protected] This is a common naming convention for multinational businesses as it saves having to register dozens of domain names and keep track of which ones are .com, which are .co.uk and which are .com.tw (etc).

A related problem is when fingers fall out of sync with the brain and letters get transposed – so [email protected] becomes [email protected] – often this can be harder to spot but it has the same effect and the email can end up in the hands of the wrong people.

Unfortunately there isn’t much you, as the owner of the domain name, can do about this. You can take the option of defensively registering every possible typo, but this is likely to be prohibitively expensive and you can never fully predict just how random people’s mistakes can be.

In this instance, the solution is pretty much in the hands of the person sending the email but even then there are only limited mitigation options.

First and foremost you should always take care when entering an email address. Type slowly and double check. Be aware that mistakes are common so look out for them.

Secondly, add contacts to your address book so your autocomplete works and takes the effort away from your typing. It is best to do this when you receive an email because then you know the address is valid.

There is a third option, if you are running the corporate email network, and that is take away the need for your employees to include the domain name in internal email. This means that if [email protected] is sending an email to [email protected] all they need to do is enter employee2 into their email program. This alone drastically reduces the amount of traffic that makes its way off  your corporate network by mistake.

Although not covered in the BBC article, there is another risk when it comes to sending email – and that is entirely down to the use of the autocomplete function so this really is an example of a technological solution that causes its own problems.

In most email packages, the autocomplete works by matching an email address after you have typed a few letters in. This means if you want to send an email to [email protected], you type in “jo” and the software pulls up the correct email address.

However, as your address book grows, this becomes more of a risk – “jo” will match “[email protected]” and “[email protected]” – and more attention is needed to ensure that you select the correct address. Again, typing in a hurry often means you select the first name that appears and press send, only to realise it is the wrong person.

Depending on the nature of your email this can be simply embarrassing or downright catastrophic.

Earlier this year, Gwent Police made the mistake of sending ten thousand CRB check results to a journalist which resulted in an ICO ruling (reported here). This incident obviously came to light because the recipients felt they were bound to report on it – anecdotal evidence indicates that this is fairly common and more recently the giant recruitment agency Hays, sent out an email with the pay rates of the contractors they had placed at the Royal Bank of Scotland and although this wasnt a DPA breach it was very damaging to the company’s reputation.

Again, this is not something you can easily rely on technology to protect against – most solutions simply add in an additional authorisation stage and very quickly users get conditioned to simply click the “accept” button rather than check.

As is so often the case, the most cost effective solution is to properly educate your staff and encourage good behaviour through good management. When staff are under pressure, over worked or un-motivated then mistakes are most likely to happen and it is always worth taking the time and effort to avoid this state.

Only you can work out what the impact to your business, or personal life, would be from sending an email to the wrong address but it should always be factored into your risk assessment processes. Start with the worst case – you send commercially sensitive email to  a competitor, for example – and then work from there.

A good rule of thumb is to never send very sensitive information (such as admin account log-ons, banking details etc) via email over the internet. If you really must then consider some form of encryption for the message contents – not just the email.

If you want to know more about the risks of email and what steps you can take to protect yourself, then get in touch with the security specialists at Halkyn Consulting today.

Halkyn Security

Halkyn Security Consultants.