Ask the Expert

How secure is an email with a .pdf attachment?

Is sensitive information sent as an email with a .pdf attachment safe for the sender?

Requires Free Membership to View

First, just to be clear, you can't get infected by a virus or malware just by sending an email or an email with a .pdf attachment, but I don't think that's what you're asking here. Sending sensitive information in an email or as an attachment is unsafe, and depending on your organization's security policies, could land you in a lot of trouble. Let's have a look at why.

Sending an email is like sending a postcard: everyone or every system that handles it can see and record what you've written. This is not a problem obviously if the contents are nothing of interest or importance. It is a big problem, however, if the contents include banking details, network passwords or other types of sensitive data; defamatory remarks are a definite no-no too. If you send an email that contains data or content that your firm's acceptable usage or security policy expressly forbids to be sent via email, then you could find yourself in trouble. Most security-aware organizations will have polices and guidelines that cover the transmission of sensitive data: what data can be sent via email, what must be encrypted, etc. You should check with your IT department as to how you should send information of differing levels of sensitivity in order not to fall foul of these policies.

Merely putting sensitive information into a .pdf file instead of the body of the email won't protect it either unless you use one of Adobe's encryption options. A digital ID is required to sign documents and apply certificate security. Adobe Acrobat allows for the creation of self-signed digital IDs, which should be sufficient for many situations.

The most secure way to send messages and attachments is to encrypt them before they are sent. In addition to protecting the attachment while in transit, file encryption also provides protection to the file while it is stored on a PC, any mail servers it passes through, and finally when it arrives at the recipient's machine. Before making a .pdf available to others, consider removing content that reveals the document history or that contains personal information, such as metadata that lists your name as the author.

I would also recommend that you sign any important messages as well as encrypt them so people can be confident the email originated from you. If the person to whom you send an email also has a digital certificate, you can sign and encrypt the message to ensure that it cannot be altered or read by anyone other than the intended recipient. As a matter of good practice, I would always write an email like it was a postcard, not a letter, and add a salutation and data and time in the body of your emails to ensure the context of the message is clear. Your email or attachment could be intentionally or unintentionally forwarded to and viewed by many, many other people. Even if you have encrypted the contents of the email or your .pdf document properties prevent printing or copying, there is nothing to stop the recipient from photographing the contents while they're displayed on their screen.

There have been quite a few security bugs found in .pdf documents recently, so if you exchange .pdf documents, ensure your computer is kept up to date with the latest patches. Antivirus and antispyware should be installed, updated and running, and always scan emails and documents before opening them.

This was first published in February 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: