Advertisement

If You BCC Someone on an Email, Can the Recipient Find Out?

Email
The BCC field in an email should be used with care. Elrinian/Wikimedia/CC BY-SA 4.0

Advertisement

Your typical email program has several options to simultaneously message more than one person. You can load up the "To" box with many recipients and then blast away. Or you can put some (or one) in the "To" spot and CC the rest. Or else BCC some or all.

The BCC might be the trickiest as it means that not everyone is privy to the same information. And it has the biggest risk for pitfalls. So, when do you CC and when do you BCC?

First, you have to know what CC and BCC mean. The CC field stands for carbon copy; the BCC field stands for blind carbon copy. Carbon copies were common in pre-internet days. When someone needed a copy of a document, they inserted a sheet of carbon paper between two pieces of paper. The carbon paper helped the ink or type move from the top sheet to the bottom, and presto, you had two copies of the same paperwork.

These days, an email CC means you sent a copy of a message to someone other than the direct recipient – it's an easy way to keep vested parties in the loop on a subject. Notably, the CC format allows everyone to see each other's email addresses, too.

BCC works the same way as CC, except the direct recipient (in the "To" line) doesn't know that anyone was BCC'd on the message. So, for example, if you emailed a subordinate at work about being late to the office and BCC'd your own boss to show her that you were being diligent about tardiness in the office, your subordinate wouldn't know that her lateness was being pointed out to your own superior.

Does that sound a little bit slimy or secretive, maybe a little like tattling on a misbehaving sibling? It should. You could call BCC the "backstabbing carbon copy," because its usage is often loaded with etiquette pitfalls and potential backlash. After all, if you're purposely hiding the fact that there are BCC recipients, maybe you should question your motives.

BCC is a notorious office space landmine, particularly if the person who is BCC'd accidentally hits Reply All. Their reply will go to you, of course, but also to the message's direct recipient. Whoops. This kind of abrupt disclosure has resulted in countless tense office scenarios. The takeaway? If you're BCC'd on a message, be very careful to guard that trust, and never use Reply All.

In spite of these issues, there are some very good reasons to use BCC. Maybe you're a supervisor of various contract or freelance workers who never interact with each other, and you want to update all of them on policy changes without having to send individual emails. To do so, you can send them all a message with just the BCC section filled in with their addresses.

This isn't just a matter of convenience for you – it also protects the privacy of your freelancers, who probably don't want a bunch of virtual strangers to see their personal email address.

Or maybe you're a company trying to contact many customers about an important issue. You absolutely have to use BCC, otherwise hundreds or thousands of people will suddenly see private email addresses. That's a major breach of trust.

Can a BCC Recipient Be Exposed?

But what if there was a way for recipients to find out who was BCC'd on a message without the receiver's knowledge? Not only could it lead to uncomfortable situations, but it could result in a serious violation of privacy for people who don't want their email addresses revealed.

"Generally, recipients can't see if someone has been blind-copied on a message," says Sherrod DeGrippo, senior director of threat research and detection for Proofpoint Email. "Servers that receive messages are designed to strip out 'BCC' information before they pass the message on to the recipient. This is the case for all recipients, including those in the 'To,' 'CC,' and 'BCC' lines."

But as with all things digital, that's not the end of the story. Typically, it's user error that causes BCC privacy breaches.

"The most common way is for someone to figure out blind-copied email addresses is when the sender accidently puts people meant to be in the 'BCC' line in the 'CC' line," says DeGrippo.

However, she notes that threat actors – hackers – have found ways to attack the privacy of BCC. One would be to access the target's inbox in one way or another, and then simply look in the Sent items to find out who received a BCC message. Or, if your device is infected with data-stealing malware, an attacker could access messages in the Sent folder.

"Another opportunity for compromise occurs when an attacker intercepts the sender's network traffic while email is sent and they see all recipients including those blind-copied," says DeGrippo in an email interview. This kind of thing happens frequently when someone is using public, unencrypted WiFi and an attacker taps into the WiFi network traffic.

"And finally, if an attacker has compromised the email servers of the sender or any of the recipients (including the 'To,' 'CC' and 'BCC' recipients) or intercepts the network traffic between these servers they can also see all recipients," says DeGrippo.

In other words, BCC is anything but impenetrable. So, if you're a spy trading in state secrets, you've been warned.

Using BCC Wisely

To protect yourself when using BCC, you can take a number of steps. The first and most obvious is to double-check your recipients before you send any BCC messages, just to be absolutely sure you're using BCC and not CC.

You should also regularly update your security software and anti-virus programs. That way, your device guarded against current threats.

"Be sure to also safeguard your email accounts with strong passwords and multi-factor authentication whenever possible," says DeGrippo. "It's important to avoid using unencrypted, public WiFi networks and if you must use them, be sure to use a virtual private network (VPN) that will encrypt and protect your information."

Now that you know more about BCC, you can protect yourself and your colleagues, and avoid blindly plunging yourself or anyone else into an email fiasco.

Advertisement



Advertisement


Advertisement



Advertisement

Advertisement