Invoicing Over Email Is Risky Unless It’s Encrypted
Sending invoices through email seems like a simple task. You draw up a new email, address it, attach the invoice, and hit “send.” In a few days, hopefully, you’ll receive your payment in full. The process looks simple to end users, but it’s actually quite complex.
After hitting the “send” button, emails are routed through a bunch of networks including mail servers, DNS servers, and routers before they reach someone’s inbox. At each point along the way, emails can be intercepted by cyber criminals looking for information they can use to commit fraud. They’ll take anything they can get, including customer support emails where customers are likely to divulge personal information.
Encryption doesn’t prevent emails from being stolen, but if stolen emails are encrypted, they can’t be read, and are worthless to cyber criminals.
Encryption is your responsibility
It’s tempting to automatically trust your email provider to make sure your emails are encrypted, but it’s not their responsibility. While popular email providers like Gmail and Microsoft do encrypt emails, the encryption only happens over their network. In other words, when you hit “send,” your email is vulnerable while it bounces around the multiple networks between your mail server and Gmail’s or Microsoft’s servers.
Regardless of how secure your email provider’s servers are, if an email leaves your computer unencrypted, it’s not secure. That’s why people seek out third party add-ons like Virtru for end-to-end encryption that also encrypts attachments. Chances are, your invoices are sent as attachments, so even if the body of your email is encrypted by your email provider, that doesn’t do you any good.
Data breaches are rising
It’s likely that almost every business you’ve purchased from has experienced a data breach without your knowledge. Major corporations frequently experience massive data breaches, but small businesses are hit just as often. Most incidents aren’t reported unless required by law. The reason we’re hearing about more data breaches has to do with more companies reporting them, and thanks to the new GDPR regulations, those reports are going to keep coming.
Preventing a data breach is fairly straightforward: encrypt your data according to industry security standards. Those who don’t follow security policies pay the price. Still, corporations aren’t getting the message until it’s too late. Long after the infamous Target data breach, in 2014, Home Depot faced 44 civil lawsuits in the United States and Canada after a major data breach affected 56 million customers. The popular home improvement supply company failed to encrypt data in violation of the Payment Card Industry Data Security Standard.
It can happen to you
Most people think a data breach can’t happen to them, but sixty percent of businesses reported experiencing a data breach in 2013 and 2014, despite having privacy and data protection awareness programs. If you send unencrypted data across a network or store unencrypted data, it can happen to you.
You can have the best software, the greatest data security team, and the most advanced training program on the planet. If just one email with an attached invoice slips by unencrypted, you could be the next victim.
Why invoices are a prime target?
Invoices don’t seem like the kind of data hackers can use to commit identity theft. Names, addresses, and phone numbers are usually public record. There’s not much hackers can do with that information, right?
According to LifeLock, someone can’t steal your identity with only your name and address. However, they can plug your name into public databases to find other pieces of information they can use to eventually get ahold of your social security number or birthdate. Identity thieves will follow a long digital trail to get enough information to open new financial accounts in your name. Invoices have the potential to contain a good portion of information they need to fill in the missing pieces. Some invoices might outright contain those missing pieces, and in the digital world, there’s no equivalent of a cross-cut shredder to destroy it.
Cyber criminals can do serious damage with the information they get from a stolen invoice. Many customer accounts can be reset by verifying your name, address, or birthdate over the phone. Having only your name and address, thieves can change your address with the official form provided by the U.S. Postal Service and reroute your mail to them. That’s often their first step in lining up a scheme to open a credit card in your name. The post office doesn’t verify your identity against a government-issued ID before accepting change of address forms.
Names and addresses aren’t the only bits of information that give cyber criminals enough data to cause damage.
What information do you include on your invoices?
In a dream world, hackers would steal invoices and pay them. In the real world, hackers steal invoices and extract personal information to build a profile of people they’re targeting for identity theft. The information you include in your invoices determines how far they can get.
What you put on your invoices matters. Putting sensitive information on your invoices puts people at risk in the case of a data breach. It also puts you at risk for lawsuits, fines, and a damaged reputation. Some businesses are more at risk than others because they’re required by law to encrypt their data.
When you’re required by law to encrypt certain data, one hijacked invoice could destroy your business. For example, say your company is required by law to follow HIPAA privacy guidelines to protect patient confidentiality. HIPAA requires patient data to be protected when transmitted electronically, and encryption is the most practical way to do that.
That means when sending an invoice via email, by law, those emails must be encrypted. It doesn’t matter if you’re emailing the invoice to the patient or their insurance company. If your invoices aren’t encrypted, and a hacker gets ahold of them, you’ll be fined based on the level of perceived negligence at the time of the violation. Fines range from $100-$50,000 per violation and max out at $1.5 million per year per violation. Each health record is considered one violation, so the fines add up fast.
Fines apply to many sub-industries inside of the healthcare spectrum including chiropractic, acupuncture, massage, and many other treatments provided by licensed medical practitioners. It’s a big deal.
Be careful with how you identify your clients on invoices
Under HIPAA, medical record numbers need to be protected. Sometimes medical records are printed on invoices to help business identify their clients or patients. That was okay when all invoices were made of paper and could be shredded. In a digital world, it’s a better idea to create a numbering system that corresponds with their medical record number and use that instead.
Another potential issue is if you’re sending contractors invoices with their tax ID number. There’s no reason to put someone’s tax ID number on their invoices. If that person happens to be a sole proprietor, that tax ID number is their social security number – the holy grail of data to a cyber criminal.
Password protected PDF files work, too
In the past, encrypting emails was a complicated process reserved for computer geeks and hobbyists. It was more common for people to send sensitive information, like bank account details, in password protected PDF files. This method is still safe as long as you’re able to communicate the password to the recipient in some way that doesn’t involve the internet or text messaging.
Although it works, it’s a pain to turn invoices into password protected PDF files. It might be okay if you don’t send more than a few invoices each month, but if you send out invoices on a regular basis, password-protecting PDFs will become cumbersome. Encryption is the most efficient method.
It’s time to understand data security
This new era of data breaches changes everything. It means data security must become a priority for everyone. It means learning what data security means, and not blindly trusting software companies to provide it for you.
You can’t take reputable companies at their word when they tell you their email is “secure’ because they’re using that word in a specific context that doesn’t mean what you think it means. It’s not their fault or your fault; it’s an error in communication due to a misunderstanding of what they mean by “security.” When the consumer hears that word, they think of complete and total protection. Perhaps that’s what email providers want you to think. By taking the initiative to learn more, you’ll be able to spot these inconsistencies and dig until you reach the truth.
Don’t stake your entire business on the off chance you might not be the next victim of a data breach. The odds aren’t in your favor. Do a little research to find out how encryption works so you can understand why it’s not enough to have your emails encrypted only on your email provider’s servers. When you understand encryption, you’ll know where your email provider falls short and where you need to pick up the slack.