Why are secure message links sent via email secure?

    If you have received an email with a link to access secure files and are wondering:

    • How does using the link protect your data (even though no password is asked)?
    • Why is inserting sensitive data as a link more secure than an email attachment?

    NOTE: The information below applies only when the link you received starts with https://www.encyro.com (the actual link opened by the browser, not just the displayed link).

    The sender has used email encryption provided by Encyro to protect your data. The purpose of encryption is to protect your data in case of a data breach (data theft). This kind of protection is often used, and may even be required by law, for Data Loss Prevention (DLP). For example, if servers, hard disks, or other computing devices are stolen, the data should remain protected.

    The Encyro secure link inserted into the email message provides data security in multiple ways:

    1. The link provided to access your secure message expires after 4 days (or the number of days set by the sender). This means that if your email data is stolen (e.g. if a server, computer, or mobile device storing your emails is stolen), most such links would have expired by then. Only very recent messages, if any, will be vulnerable.
      • Even for those unexpired messages, the secure message content and files are not included in the email data. So automated software tools that data thieves use to extract sensitive data such as SSNs or financial account details from the stolen email data will not likely find it.
      • Each link only gives access to one message and not all messages received by that client. This greatly limits the amount of data leaked.
      • The vulnerable messages may also expire by the time the stolen data is sold on the dark web and exploited.
    2. The sensitive data is not synchronized to all devices where email is synchronized to. The email content itself may be stored on the sender’s and recipients’ computer, phone, and all other devices where they check email. However, the sensitive data will only get downloaded on the device where the user explicitly clicks the links. This greatly limits the number of vulnerable devices.
    3. The data, when inserted into the email via an Encyro link, remains encrypted both during transfer over networks and when stored on servers. It is not transmitted through the email system. Email content is not guaranteed to be encrypted over the network because email servers only use encryption (usually TLS-based) on a best effort basis, meaning that encryption is used only when both the sending and receiving email servers have compatible configurations. Otherwise, they fall back to non-encrypted transmission. Also, email servers may not always encrypt the data in their storage.

    Encryption does not protect against email account hacking. If someone can login to your email account, they can go to your bank’s website (or any other website where you have an account), click on “forgot password,” and get a link to reset the password. Then they can login to practically any of your accounts. So it is important to have a secure password for your email account, and ideally, also enable 2FA.

    Encryption is intended for DLP. Protection against data theft using encryption is recognized by many data privacy laws. For instance, laws related to data theft reporting in most countries do not require the theft of encrypted data to be reported.

    Do I need encryption if I already have a strong password and 2FA?

    Your email account password and 2FA do NOT protect against data theft. If the thief connects the stolen hard disk to their own computer, no account password or 2FA will prevent the thief from reading your data. That is why encryption (such as provided by Encyro) is needed.

    Use the following checks:

    • The link should start with https://www.encyro.com and that same address should show in the browser address bar when you click or visit the link (it is not enough to check just the link displayed in the email). This means the webpage that opens is actually hosted by Encyro and not someone else.
    • Encyro will not ask for personal information. If any information is asked for verification, it will be limited to secret codes sent to you by Encyro (and not your SSN, date of birth, etc.). Sometimes, you may be asked to enter a part ofyour email address or phone number but not the full address or phone number (this is to check your input against the data we already have, not to ask for new data).
    • When in doubt, contact the sender of the message (preferably using means other than email) to check if they indeed sent you a secure message or files via Encyro. If they have not, please forward the message you received to info@encyro.com to let us know.

    Related articles