Manage Learn to apply best practices and optimize your operations.

How secure is an email with a .pdf attachment?

Sending sensitive information in an email or as an attachment is unsafe, and depending on your organization's security policies, could land you in a lot of trouble. Michael Cobb explains why.

Is sensitive information sent as an email with a .pdf attachment safe for the sender?

First, just to be clear, you can't get infected by a virus or malware just by sending an email or an email with a .pdf attachment, but I don't think that's what you're asking here. Sending sensitive information in an email or as an attachment is unsafe, and depending on your organization's security policies, could land you in a lot of trouble. Let's have a look at why.

Sending an email is like sending a postcard: everyone or every system that handles it can see and record what you've written. This is not a problem obviously if the contents are nothing of interest or importance. It is a big problem, however, if the contents include banking details, network passwords or other types of sensitive data; defamatory remarks are a definite no-no too. If you send an email that contains data or content that your firm's acceptable usage or security policy expressly forbids to be sent via email, then you could find yourself in trouble. Most security-aware organizations will have polices and guidelines that cover the transmission of sensitive data: what data can be sent via email, what must be encrypted, etc. You should check with your IT department as to how you should send information of differing levels of sensitivity in order not to fall foul of these policies.

Merely putting sensitive information into a .pdf file instead of the body of the email won't protect it either unless you use one of Adobe's encryption options. A digital ID is required to sign documents and apply certificate security. Adobe Acrobat allows for the creation of self-signed digital IDs, which should be sufficient for many situations.

The most secure way to send messages and attachments is to encrypt them before they are sent. In addition to protecting the attachment while in transit, file encryption also provides protection to the file while it is stored on a PC, any mail servers it passes through, and finally when it arrives at the recipient's machine. Before making a .pdf available to others, consider removing content that reveals the document history or that contains personal information, such as metadata that lists your name as the author.

More resources on how to secure email attachments

Learn how to alleviate OWA email attachment security issues

Get information on how acceptable use policies can minimize email risk

Educate end users on executable email attachments

I would also recommend that you sign any important messages as well as encrypt them so people can be confident the email originated from you. If the person to whom you send an email also has a digital certificate, you can sign and encrypt the message to ensure that it cannot be altered or read by anyone other than the intended recipient. As a matter of good practice, I would always write an email like it was a postcard, not a letter, and add a salutation and data and time in the body of your emails to ensure the context of the message is clear. Your email or attachment could be intentionally or unintentionally forwarded to and viewed by many, many other people. Even if you have encrypted the contents of the email or your .pdf document properties prevent printing or copying, there is nothing to stop the recipient from photographing the contents while they're displayed on their screen.

There have been quite a few security bugs found in .pdf documents recently, so if you exchange .pdf documents, ensure your computer is kept up to date with the latest patches. Antivirus and antispyware should be installed, updated and running, and always scan emails and documents before opening them.

Next Steps

Get tips for improving enterprise email security

Take this quiz to see if you know your email security basics

Learn more about email security and compliance best practices

This was last published in February 2010

Dig Deeper on Email and Messaging Threats-Information Security Threats

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What steps has your enterprise taken to ensure email attachment security?