Institute of Certified Bookkeepers

How Secure is Your Email?

Did you know…?

  • Some email accounts, (typically free accounts or those as part of a wider service like gmail, Hotmail even Bigpond, Optus etc), are routinely and systematically scrutinised and analysed for what you are doing and what you are sending and who to.
  • Email bounces via of a number of servers and through various services between leaving you and reaching the recipient. This creates numerous points of vulnerability.
    • Points of weakness are the sender’s device, the network, (i.e., the internet provider), the servers and the recipient’s device.
  • Not all email clients are equal. Some are more secure than others.
  • Webmail is the least secure - but you can take precautions like using strong passwords, enabling two factor authentication and enabling notifications for new sign-in locations or devices

Important Security Issues

  • You should never have a Tax File Number (TFN) written in the body of an email
  • You should never have a TFN written in an attachment within an email unless it is encrypted (password protected)
  • If you are using a webmail based email address, look at upgrading and getting your own domain name with a secure provider - it is more professional and costs very little to activate an email address. You don’t need an active website in order to have your own email address. At the very least, make sure you have enabled the highest possible security available for that service.
  • Consider using encryption software for sensitive documents or information being sent by email

In effect, there is no security of identity-sensitive information like a TFN in an email, and any one of the people with access to your or the recipient’s devices, email servers or intercepting emails could obtain the TFN that you have sent.

This opens up a can of worms for the sending of Income Tax Return by email (it contains the TFN), and for sending the end of year payment summaries directly from the software.

It is not limited to TFNs. The sending of any information that could be used to compromise someone’s identity, including credit card details, bank account details and other private information are all questionable.

Current Developments

  1. Client Portals
  2. Employee Portals
  3. Password protected PDFs and other documents
  4. Secure and authenticated digital signature software
  5. Document exchange hubs or services

Bookkeeper Obligations

As professionals, you should obtain authority from the business owner and/or the relevant individual before emailing content that may contain any sensitive information.

It is also essential that a person’s email be verified and not assumed that it only goes to that person.  Although it may be personally named, is it in fact accessed by a number of staff members? Ensure the individual has certified that they are happy to receive information to a specified email address.

It is a requirement of tax law that you obtain employee consent before emailing them their payment summary.  Emailing payment summaries is, in our view, more efficient than hard mail, however employee portals are more secure again.  This area of software delivering this level of security is improving.

Although email is far more efficient than hard mail, it is easier to hack or intercept so it is potentially a major security issue.

You must take steps to maintain not only your own security and privacy, but that of your clients.


  • Use a password manager application like 1 Password or Last Pass.  This not only securely manages all your passwords but can generate very strong passwords randomly.
  • Always use strong passwords
  • Regularly change passwords
  • Regularly check settings and preferences to make sure you are still using the optimum security setting available for your email application
  • Always update your operating system, software and applications when prompted 
  • Ennable two factor authentication on anything you can
  • Before emailing sensitive information to clients, get their authority to do so
  • Inform clients of potential security issues
  • Consider using an authenticated digital authorisation system for signatures
  • Back up everything

See this month’s related article on Cyber Security from Secure ISS and an article from Insurance Made Easy regarding Cyber Insurance.


Related ICB Products and Solutions

  • Updated: 23rd August, 2016