16.CyberSecurity: Maximise the security of Emails

How to maximise security when sending emails. Both sender and recipient should use a protonmail account.

connect to protonmail via the tor browser. - hides who you are and who you are communicating with if both have protonmail accounts. Use free wi-fi at a location not covered by security cameras, and a different location each time. A snooper on the wi-fi can tell you are using TOR, but that is all. Encourage everyone to use the TOR browser so that TOR users don't stand out.

But suppose an insider knows of your use of protonmail accounts and wants to send an email to divert a payment to their own account they could set up a very similar email account. Suppose the managing director is using the address MDsecurecompany@protonmail.com, then the attacker could create the address ΜDzecurecompany@protonmail.com , copy the MD's signature to the email so that the layout looks the same and send a message to the finance director to make a payment to a new account.

Even with an encrypted email system the only effective way of confirming that a message comes from the person they claim to be is to use encryption with public/ private key pairs. The private keys are always kept secure and private by each user. The public keys can be placed on a company website, or on an internal company website.

Send the secret content by attaching an encrypted file containing the content:

If you want the recipient of the email to be able to confirm who the sender is, the sender should encrypt the content with their private key.

If the content should only be readable by the recipient, then the sender should encrypt the encrypted content again with the recipients public key.

Now when the attacker sends an email to the finance manager asking for payment to be diverted, even though the message appears to come from the managing director the finance manager should reject it unless the message is inside the attached encrypted file and it decrypts only when using the managing director's public key as previously verified.