Indeed, when companies start to look at what's traveling through their HTTP channel, "usually IT people are very surprised at the extent of this unsanctioned traffic," Cabri notes.

On the other hand, the dynamic nature of Webmail can be a security plus, says Jen Grant, a group product marketing manager at Google. "The advantage of Webmail and the cloud is that we can adapt and adjust almost instantaneously, so the second a new type of malware is there, we can adapt, adjust and update our system and protect our users," says Grant. Contrast that with a static system on a corporate desktop, she says. "In order for them to adapt, they have to download something, they have to install something. It's just not as fast."

Webmail isn't necessarily any more vulnerable than corporate mail, says Petko D. Petkov, founder and senior security consultant at Gnucitizen, which does penetration testing for companies. Although directly attacking corporate e-mail systems is harder, there are other ways to break into the system, through social engineering or sniffing unprotected wireless connections of corporate laptops at Starbucks, for example. "There are so many variations," he says. "It's just a matter of creativity and innovation."

Webmail is different

However, there's no denying that Webmail, because it is a Web application, is subject to attacks from black-hat hackers looking for vulnerable targets. "It's the law of large numbers," says Ponemon. "The seriously bad criminals -- computer jocks in places like Romania and China -- they look for the big brands because that's where they'll get the most traction from their criminal activity." The two most prevalent vulnerabilities today are cross-site scripting and cross-site request forgeries, according to Petkov. In fact, cross-site scripting is the most prominent vulnerability on the Web, notes Grossman. "It's what's used most often to break into Webmail accounts specifically."

In Webmail cross-site scripting, a cybercriminal will send an e-mail that contains some malicious HTML and JavaScript code in it. When the victim opens that Webmail message, the code automatically executes and sends their cookies, which contain the information needed to get access to that Webmail account, back to the bad guys. Once that happens, the criminals "have everything they need to log in as you," says Grossman. "There's not much you can do about it."

Cross-site request forgery uses cross-site scripting as its first step, says Petkov, but it goes further and uses that info to impersonate the victim to gain access to other accounts. Last fall, Petrov reported a Gmail vulnerability that could allow a hacker to use cross-site request forgery to log into your e-mail account and configure it to forward copies of all your e-mails to the attacker's address. Or they might configure it to simply send copies of all e-mails that contain words like "account number" or "password," which might deliver the information needed to sign into the victim's bank account. Most users would never even realize this was happening -- that is, until they logged into their bank account and found it had been drained.

Google fixed the vulnerability (although, according to Petkov, it wasn't a complete fix and some users were compromised). And Petkov isn't singling out Google for special criticism. All Webmail vendors are engaged in a constant battle against these and other types of exploits, he says. "I'm sure Google is putting a lot of effort into securing their software, but mistakes happen," Petkov notes. "Especially on the Web, where everything is constantly changing and people are always striving to add new features. Every time they add a new feature, there could be a problem."