The short answer: verify who is asking, use a tool designed for the kind of information you are sending, and give the recipient only the access they need for only as long as they need it. For confidential text, that usually means an end-to-end encrypted message with an expiring link, not the body of an ordinary email.
“Sensitive information” covers more than passwords. It can include banking instructions, recovery codes, personal identifiers, client details, contract terms, or anything else that would cause harm if it reached the wrong person. The safest method depends on whether you are sharing a credential, a short message, or a file.
Why ordinary email is not enough
Modern email often uses TLS while a message travels between servers. That protects the connection, but it is not the same as end-to-end confidentiality: the sending and receiving mail systems can still access the message, and copies can remain in inboxes, sent folders, archives, synced devices, and backups.
The Canadian Centre for Cyber Security's email guidance makes the same distinction. It recommends encryption for sensitive email and notes that a secure web portal may be more appropriate than ordinary email for sensitive information.
A seven-step checklist
1. Verify the request and the recipient
If somebody asks for confidential information unexpectedly, do not verify the request by replying to the same message. Contact the person through a number or address you already trust. This matters especially when payment instructions, banking details, or identity documents are involved: a convincing email can still come from an impersonator or a compromised account.
2. Match the tool to the information
- Passwords and login credentials: use the sharing feature in a reputable password manager when both parties have access to one.
- Short confidential text: use an end-to-end encrypted message or secure portal with expiry and revocation.
- Documents and other files: use an approved encrypted file-transfer service or secure portal built for attachments.
- Regulated or workplace information: follow your organization's handling policy even if another option seems convenient.
Do not disguise a file as text or paste a large encoded attachment into a secure-message field. A service designed for text may not provide the storage controls, malware scanning, or audit trail that a file needs.
3. Check what “encrypted” actually means
Look for encryption on your device before upload and decryption only on the recipient's device. “Encrypted in transit” protects a connection; it does not necessarily stop the service operating either endpoint from reading the content. Also check what the provider stores, who holds the keys, and whether it can recover the message.
4. Separate the link from the passphrase
If a secure message uses both a link and a passphrase, send them through different channels. For example, email the link and give the passphrase by phone or in person. Putting both in the same email defeats the separation.
5. Limit exposure before you send
Set the shortest practical expiry, add a view limit when available, and make sure you can revoke access. Include only the information the recipient needs. Avoid putting confidential details in an email subject line, filename, or notification preview, because metadata may remain visible even when the content is encrypted.
6. Send a test or confirmation when the stakes are high
For a new recipient or an important transaction, confirm that they can open the secure channel before sending the real information. For changed payment instructions, independently confirm the new details with a known contact before acting on them.
7. Revoke and respond if something goes wrong
If you used the wrong address or channel, revoke the link immediately when the tool allows it. Then contact the affected person or organization through a trusted route. If a credential was exposed, change it; if financial information may have been compromised, contact the relevant financial institution.
Where Secure Send fits
Privatt Secure Send is for confidential text messages, not file attachments. It encrypts the message in your browser before upload. The recipient opens it in their browser with a passphrase you share separately; Privatt never receives that passphrase and cannot read the message content.
You can choose an expiry and view limit, and revoke the link from your sent list. The recipient needs no Privatt account. Those controls make it useful for information such as recovery codes, account details, private notes, or a one-time instruction that should not remain searchable in two mailboxes.
The habit that matters most
Security is not just picking an app. Verify the person, minimize what you send, choose a channel built for the content, and limit how long access lasts. That short pause before sending is often the control that prevents the biggest mistake.
For more official guidance, see the Cyber Centre's advice on spotting malicious email and protecting sensitive information in email.