My bank’s “secure” email

Factual Questions
1

My partner and I are applying for a mortgage for a new home. As is normal, the rep from the bank wants our pay stubs, W2s, bank statements, etc. But he is asking us to send to his “secure” email. It just looks like a regular email address. When I said I was uncomfortable sending sensitive documents over email, he just pointed the “[SECURE]” in the subject line, as if that could reassure me.

And even if their internal email system is secure that doesn’t make anything between my outbox to their inbox anywhere near secure.

This guy has been with this bank (Regions) for decades and says this is how they all do it. I don’t buy it. Every other bank I’ve used employed some actually secure web portal to exchange sensitive messages and documents.

I’ll just deliver the documents in person.

As far as I’m concerned email is inherently insecure. Am I missing something?

2

IMO you’re right and the bank(er) is wrong. Time to change banks; they’ve demonstrated they’re too organizationally stupid to live in 2025.

3

I agree. I’ve never emailed these types of documents. I’ve always used a secure web portal or old-fashioned fax machine.

4

I email shit like that all the time. I’ve never heard of anyone’s email attachments being intercepted in the internet tubes. Human error or phishing could be a problem. But with a real recipient, I wouldn’t worry about it. The documents are probably safer in transit then they are sitting in the banks digital records (which they will be no matter how you get them to the bank)

5

You’re not missing anything. Sending anything over email is insecure, unless you go through extreme lengths to encrypt it.

The bank is incompetent.

(FWIW, Paypal just asked me to do this the other day too, and it took several days of explaining to their support that this was unacceptable before somebody finally got me a secure web portal.)

6

Over the years, there have been various improvements made to inter-provider email security (i.e., requiring encryption between server-to-server hops), but adoption still isn’t perfect, especially internationally.

And then once it actually gets to the destination, you have no guarantee that the mail server at the recipient’s side is set up in a secure way, especially if they self-host it instead of outsourcing it to a big provider like Google or Microsoft. There are a billion ways to fuck it up, and I definitely wouldn’t trust a bank that trains its employees to look for “[SECURE]” in a subject line to get it right…

And then once it gets from the recipient server to the actual person, well, really all bets are off. That same email with all your information could be copied to their home PC full of malware, their phones and iPads… anywhere they have email access, if it wasn’t properly enforced by their IT department. Those copies are generally unencrypted, too, and not easily traced/audited.

When you upload it to a portal, at least they had to have made a special database or document storage for it, which usually (not always) implies some level of access control on the viewer’s end too. And you have a guaranteed encrypted connection straight to the server because of HTTP, not the best-effort attempts of multiple intermediary email servers.

Maybe it’s not a major source of real-world attacks, but it’s certainly an unnecessary risk. That a bank would do this, like LSLGuy said, probably signals a weak security culture across the board. I would not do business with them.

7

The problem is that most people don’t hear about the thefts, the scams and the outright stealing that goes on when important documents go through unsecure channels.

8

If it were me, I would send an AES encrypted zip file of the documents, and give the recipient the key over the phone. But sending unencrypted sensitive documents over email is definitely unsafe. Even if the receiver calls it “secure”.

9

Thanks all, that’s what I strongly suspected. I did call the bank’s customer support and found they indeed do have a web portal for this purpose. I sent the link to the guy.

10

Okay, I’m willing to be convinced. Can someone explain to me how the data is insecure? If I’m at my home computer and send my W2 as an attachment to my bank, who is going to have an opportunity to grab it between me and the bank. And how the hell would they even know it’s in there among the billions of emails sent every day?

11

You don’t target everybody-you just target the email of those who send and receive sensitive email on a regular basis.

12

Theoretically modern servers should use encryption, but AFAIK they don’t have to. (Like the difference between HTTP and HTTPS). But, there are almost no instances I’ve every heard of, where hackers have intercepted traffic in transit. They would either sit there collecting reams of spam, or have to have precise knowledge of the timing. Gaining access to someone’s email (either your “Sent Items” or their “Inbox”) is probably an easier trick to accomplish, either by phishing a user or a side effect of hacking into a server.

How long does this stuff sit in either box? I would hope as a matter of course, material would be deleted if it’s that sensitive. Many people have years of accumulated emails. One thing this was useful for was not so much those documents, as understanding the organization sufficiently to send targetted emails. “Our regular payments system is down, please follow these instructions to forward payment, as per your boss Bob Jones and head of accounting Linda Smith…”

13

This would have been my (uneducated) view. Lots of places for mischief, but finding my W2 in a sea of “1s and 0s” seems almost impossible.

14

It would be almost impossible if it were a person manually scrolling through the emails. But if a bad actor were able to install malware on an email server (maybe it’s his own server that somehow became one of the hops in the chain), he could have a program scan for emails that contain interesting words like “W2”, “payment details”, etc. and forward him a copy of those.

15

I don’t think it’s a matter of convincing you or not… it’s really just up to you whether you care. It’s a small risk, but an unnecessary one. It’s like keeping your front door unlocked… probably 99% of the time it will be fine, but that doesn’t really make it “secure”.

Email is insecure by design because it’s an old protocol, from the days before security was really a consideration on the internet. When you say you want to send an email to bob@example.com, what you’re essentially doing is dropping off a digital postcard. From there, your mail provider “picks up” your email and looks up example.com’s digital addresses and tries to deliver it to them, but there is no guarantee that that the connection between your mail server and theirs is encrypted. It can and often will be, when competently managed, but it doesn’t have to be. And then once it gets to the destination server, it may go through several more hops and intermediary servers (for virus checking, backups, delivery across a company’s intranet, etc.), all of which may leave behind a copy of your email from anywhere for a few seconds to whatever a mandated retention period is — possibly years.

It’s the digital equivalent of dropping a postcard in the mail, where it gets picked up by your carrier, taken to your local sorting center, sent to some big hub for processing, forwarded to another regional hub for further sorting, then to your local post office, then to your recipient’s carrier. Before they ever see it, that postcard with all its information is visible to every person and machine scanning it along the way.

There have been numerous improvements to email security over the years, but the trouble is that they’re opt-in measures that not every email server, company, or country choose to use. Ironically you’re “safest” sending from Gmail to Gmail, where it all stays within Google’s servers. Once it goes from big provider to some small bank’s underpaid IT team, there is no real guarantee they’re doing it right.

Email is semi-secure only when every server along the way is adhering to the latest best practices and enforcing encryption and authentication requirements, but for you as the user, there is no way to tell whether this is the case. There is no “padlock icon” equivalent for email, so you don’t can’t really tell if sending a message to bob@example.com is 100% secure, 50% secure, or totally insecure. The mail servers try their best to negotiate higher security levels on your behalf, but there’s no guarantee of it.

One way to look at it is to compare Gmail’s email transparency report from 2014 vs the current one. The email encryption rate from Gmail to other providers went form 65% in 2014 to 97% today — that is a HUGE improvement, but that remaining 3% is still there, and you as the email sender have no way to tell whether your recipient is part of the “secure” 97% or the “insecure” 3%. Also, that’s just from Gmail to other providers; the numbers will be different between other sets of providers, like if you use your local ISP’s email and send to a bank that self-hosts their own email, all bets are off.

By contrast, a HTTPS website mutually authenticates you against a single destination server and ensures encryption every step of the way. Nobody but that server can see it, even if they intercept it.

And then there’s still the question of “what happens once it gets there” (by either email or a web upload). Email systems are rarely properly access-enforced, and things like self-destructing emails are not part of the standard. So even if the mail servers all followed the best practices, once it gets to the recipient, they may have three copies of it across their computers, can forward it to other people, etc.

When you upload to a web form, that means that some developer at least had to spend time making a secure upload form you. While this doesn’t necessarily mean that they have better controls at the receiving end for who can access that secure document (and for how long, and what they can do with it), it at least makes it possible — which isn’t the case with email.

And that’s just the technical layers. It doesn’t even get into all the “user error” email problems, like spoofed or lookalike addresses, different reply-tos, phishing, etc., that just social engineer their way around the technical protections.

Assuming an attacker had access to one of the intermediary email servers, they don’t need to manually look through it. Programs could scan thousands of PDFs or texts in seconds and look for anything of value that looks like a SSN or bank account number, or that resembles the W2 form, etc.

Again, this isn’t a major real-world source of leaks (as far as I know), but it is a design flaw in the email system that the providers have been trying to band-aid ever since.

There is no way to make it truly secure without breaking delivery to some email recipients, which is the major block against truly secure email.

Google was able to make HTTPS across the web normal/required because they controlled over half the internet (browsers), and the other major browsers were willing to play along.

Google is able to make Gmail to Gmail messages very secure because they control all of it.

Google, or any email provider, cannot make all of email secure because there are a million different email servers across the world each running different server and software and governed by different countries’ laws and different organizations’ setups and retention requirements, not to mention their level of competence. Certain combinations will be more secure than others, but there is no way to tell which is which beforehand.

If you want to roll your own encrypted email, it is possible through things like PGP, but both you and your recipient have to agree to this (and understand how to use it) to make it possible. Some services like ProtonMail make that process simpler, but again, it’s mutually opt-in, not secure by design/by default.

16

I believe that if they have email encryption, like Mimecast, that is how the email appears to you & if you reply to it, it is being encrypted & you see exactly what was described by the OP.

OTOH, one could manually type those letters in the subject & not use an encrypted email program.

17

No, Mimecast just points you to a secure portal too, like any competent bank would: What Is Email Encryption & How to Use It | Mimecast

Mimecast Secure Messaging protects sensitive data by making it easy for users to send and receive secure messages, and enabling policy-initiated secure messages at the email encryption gateway for an added layer of security.

Here’s how it works:

  • When employees need to send an encrypted email, they simply create a new email in Outlook and select a Send Secure checkbox on the Mimecast for Outlook tab. Secure messaging can also be automatically triggered when email content or attachments meet certain policy criteria.
  • Once the user presses send, the email and attachments are securely uploaded to an email server on the Mimecast cloud, scanned for malware, checked against email privacy, content and data leak prevention (DLP) policies, and then stored in a secure AES-encrypted archive.
  • A notification message is sent to the recipient of the email, directing the recipient to log into the Secure Messaging portal where they can read and reply to secure messages and compose a new message to the original sender.

If you’re just hitting Reply to an email, that completely bypasses the secure portal and you’re just sending it as a regular email. Nothing secure about it.

18

And knowing is half the battle. Yo, Joe!

19

Yeah. I work for a government agency, and we have secure email as an option. Here is how it works. (In broad terms, I’m not going to get into specifics of course.)

We can send an email to someone and put [Secure] in the subject, and that automatically triggers it to be sent as a secure email, which fits with what the banker in the OP is describing.

But it doesn’t just reach the end user as a regular email with [Secure] in the subject like some magic talisman warding off evil hackers. What the end user will receive is a notification that a secure email is waiting for them in a web portal (just as you describe). When you follow the link, you are asked to either log in with credentials or create new credentials to access your mail. You can then enter a secure mailbox to retrieve your mail, and/or send a secure email back to the government employee. The government employee who receives a secure email from that portal will just see it as a normal email with [Secure] in the title and doesn’t need to jump through all of those hoops, because their email server is part of the same system as the one the web portal uses; they’re on the “inside” already unlike the customer.

I almost wonder if the banker in the OP has used secure email at a different organization that worked as I described (just put [Secure] in the subject to secure it) and just assumed this new organization works the same way, when it doesn’t. Because again, he wouldn’t see anything special on his end either way. @drewbert is right to be skeptical, because it certainly sounds like no secure email is being sent or received here.

20

Just go to the bank and exchange your PGP public key with the banker, then you can exchange secure emails as much as you want!

If it were me, I’d grumble and send sensitive stuff over email, but I would not send things that have a risk of identity theft. A credit card statement (without a cleartext number), medical records, or a W-2 with nothing more identifying than my name and address are probably fine over email. A sophisticated hacking ring scanning all packets puts together a PDF and finds out how much is withheld from my paycheck is just not scaring me.

However, I would definitely not send a mortgage application through email. That contains all of the information someone would need to apply for a loan in my name. The chances of it being intercepted are extremely low, but far enough from zero that I wouldn’t do it. And as said, it’s not even so much the chance of interception as much as the clear lack of security planning on the part of the recipient.

15 or so years ago when things were a bit less sophisticated, I setup my own secure web portal to pass things to my mortgage brokers. They were fine using a password I gave them to download stuff.