The Long Shadow of a 1970s Convenience
In 1971, a computer engineer named Ray Tomlinson was working on ARPANET, the experimental network that would later evolve into the internet. As part of a small side project, he typed out a test message and sent it from one machine to another. The message itself was forgettable, but the method was not. By choosing the “@” symbol to separate a username from a machine address, Tomlinson invented a format that would become the backbone of global communication.
At the time, email was a technical curiosity with limited reach. Within academic and research circles, it flourished quickly because it solved a basic problem: asynchronous communication. Colleagues no longer had to be at their terminals at the same time to exchange information. In those settings, identity was largely taken for granted. Networks were closed, users often knew one another personally, and the assumption of trust carried over from the culture of the lab.
The first warning signs came only a few years later. In 1978, a marketing representative for Digital Equipment Corporation sent an unsolicited message advertising new computer equipment to nearly 400 ARPANET users. It was the world’s first spam email. The backlash was immediate and harsh, but the damage was done. A channel built for collegial sharing had been shown to support mass deception.
The Simple Mail Transfer Protocol (SMTP) was designed for openness, not security. It did not guarantee the sender’s identity, and the “From” field could be forged with ease. Authentication and encryption were optional add-ons, not part of the core.
By the 1980s and 1990s, email had leapt from universities to corporations and households. Services like Hotmail, Yahoo, and AOL Mail turned a once-obscure tool into a fixture of daily life. Governments and financial institutions adopted it as well, seeing it as a fast and efficient way to move documents, proposals, and approvals. But what had not changed was the architecture. The Simple Mail Transfer Protocol (SMTP) was designed for openness, not security. It did not guarantee the sender’s identity, and the “From” field could be forged with ease. Authentication and encryption were optional add-ons, not part of the core.
Despite this, email quickly absorbed responsibilities it was never designed to carry. Companies began using it for contracts, invoices, and approvals. Employees reset passwords by clicking links sent to their inboxes. Executives made strategic decisions based on attachments. The system’s ubiquity made it the path of least resistance. Convenience slowly disguised itself as security.
As email’s role expanded, so too did the creativity of attackers. The 1990s saw a wave of phishing campaigns that relied on the simplicity of imitation. Messages imitating banks or software companies asked recipients to “confirm” their credentials. Later, worms like the “ILOVEYOU” email of 2000 spread worldwide in hours, proving just how fragile the trust model was. Each episode underscored the same point: the protocol was sound for communication, but never for assurance.
The Burden of Trust on a Fragile Channel
The consequences are easy to see today. Business Email Compromise drained organizations of more than $50 billion globally between 2013 and 2022, according to the FBI. Criminals did not need to exploit obscure vulnerabilities. They simply wrote convincing messages and relied on the fact that most of us still treat email as authoritative.
The cultural lag between awareness and practice is striking. A friend of mine, who works in cybersecurity, once told me about his attempt to buy a house. The mortgage broker asked him to fill out a PDF form with all the standard financial information, bank account details, employment history, social security number, and email it back. He refused. To him, sending such sensitive data through a channel as leaky as email was unthinkable. The broker balked, insisting that this was how it was always done. That moment of disbelief captured the gulf between professional caution and everyday assumption. What seemed paranoid to the broker was, in fact, common sense.
Requirements to archive messages for years have turned inboxes into liability vaults, waiting to be cracked open during litigation or exposed in data breaches.
Organizations have tried to retrofit security onto the channel, but with limited success. Encryption standards like PGP and S/MIME exist, yet their complexity has doomed them to niche adoption. Spam filters are excellent at catching mass junk, but they falter against bespoke impersonation written in fluent, even AI-generated, prose. Multi-factor authentication helps secure inbox access, but it does nothing to verify whether the content inside was legitimate in the first place. Compliance has not solved the problem either. Requirements to archive messages for years have turned inboxes into liability vaults, waiting to be cracked open during litigation or exposed in data breaches. Phishing awareness campaigns are better than nothing, but too often they reduce employees to reluctant test subjects rather than empowered defenders.
The result is that email remains indispensable yet unreliable. It coordinates schedules, delivers contracts, and carries personal notes across continents. But it also enables the most lucrative and persistent form of corporate fraud. The paradox is not just technical, it is cultural.
Some organizations are beginning to unwind the reliance. Workflow systems like ServiceNow or ConnectWise are used to route sensitive approvals into environments where identity verification can be built in. Files are sent through ephemeral systems that vanish after retrieval rather than sitting in inboxes forever. One example is Traceless, which allows help desks to issue reset credentials in a way that disappears once used. The point is not to replace email altogether, but to strip it of the burdens it was never meant to carry.
The better way forward is to treat email as what it is: a remarkable tool for coordination and correspondence, but not a foundation for trust. The history of cybersecurity is littered with examples of failure when organizations load mission-critical responsibilities onto tools that were never built for them. Email is simply the longest-running case study.
As threats evolve, from AI-generated impersonations to deception-as-a-service marketplaces, the gap between what email can do and what we ask it to do grows wider. Trust is not something that can be improvised onto a channel forty years after its invention. It must be designed into the system from the start.
The most effective time to strengthen your defenses is before an incident occurs. Book a demo to see how Traceless can be implemented in under 10 minutes. All plans are month-to-month, with no long-term commitment.