Behind the "Fat finger": all you need to know about misdirected emails

Email is among the most used communication tools in the world. Research suggests that as of 2019, the amount of emails sent and received is almost 300 billion per day. Email has many powerful benefits, but it has given organizations significant security headaches too. No question: over the past few years, fending off email security threats has become a much higher priority for organizations. Today, senior leaders recognize that people pose a real threat to organizations’ security: 30% of enterprise cyber incidents are caused by employees. Although eye-catching and sophisticated scams like spear phishing attacks regularly make headlines, one of the most common threats to email security is email misdirection.

What is a misdirected email?

Misdirected email

A misdirected email – also known as a misaddressed email – happens when an email is mistakenly sent to the wrong person due to human error. Even with organizations adopting more and more sophisticated security technologies, messaging the wrong email address is an all-too-common occurrence.

So what kinds of errors actually lead to misdirected emails?

1. Spelling mistakes

One of the most common causes of a misdirected email is a user incorrectly spelling the email address of the correct recipient. An email intended for [email protected] might therefore be sent to [email protected] (As well as work emails, the risks also apply when dealing with clients, external partners or other suppliers.) Accidentally sending an email message to the wrong address might happen due to employees rushing, or switching focus too quickly when multitasking.

2. Autocomplete

Today, the average person spends nearly a third of their working week on email. To save time, it’s not surprising that people often rely on the Autocomplete feature which is available on most email clients, including on Microsoft Outlook, Yahoo or Gmail accounts. With Autocomplete, people often don’t have to manually type email addresses in when sending emails, instead relying on Autocomplete’s speed and convenience to help them complete work quickly.

While Autocomplete can boost productivity, it raises the risk of mistakes being made. Offering a suggested recipient to a sender who has only typed the first initial of the correct person’s Gmail address makes it much easier to accidentally add a wrong recipient with a similar name as the recipient.

3. To/Cc instead of Bcc

The Blind Carbon Copy (Bcc) function allows the person sending an email to hide certain recipients from the main send list. Using Bcc also prevents the concealed recipients from receiving new emails in the same thread. In a work environment, it is often essential to use Bcc when sending a sensitive message to a group of people. Human error can play a part here, though. A common mistake involves the sender accidentally putting certain addresses into the To or Cc fields, rather than Bcc. The impact of this is that all the email’s public recipients become exposed to one another, giving the potential for data loss and compliance breaches. This can be particularly damaging if the content of the email contains personal information regarding sensitive matters like healthcare. Being able to understand which people in your address book need to be handled sensitively is vital. Exposing the real email addresses of individuals can have disastrous consequences for organizations.

4. Accidental “Reply All”

People mistakenly using the “Reply All” function instead of just replying to a single recipient can put data at risk of being compromised. “Reply All” errors can cause email account data and personal information to be disclosed to a wider audience than intended. (It can also damage productivity. Last year, an email was accidentally sent to 22,000 employees of Utah state, with subsequent “reply all” messages from staff clogging up employees’ inboxes.)

As we’ve seen, there are a number of circumstances that lead to misdirected emails in the workplace. So what are the consequences of this kind of error?

In enterprise environments, the content of the message (as well as attachments and links) may include highly sensitive information that regulated organizations have an obligation to protect. For example, law firms often send privileged client data related to ongoing legal matters via email. A pharmaceutical company, meanwhile, may have to pay particular attention to highly sensitive personal information such as patient records.

Many countries have introduced or are introducing stricter data protection laws: GDPR in the European Union, California’s Consumer Privacy Act and the Notifiable Data Breaches scheme in Australia are just a few examples of recent legislation that punishes non-compliance more severely. Under GDPR, organizations failing to control human error on email systems could face fines of up to 4% of annual global turnover, or €20m, whichever is greater. For organizations, the margin for error when it comes to misdirected emails is growing slimmer.

The second consequence concerns trust and reputation. Unlike dialing the wrong phone number, which might be slightly embarrassing, sending a misdirected email and experiencing a data breach as a result can significantly undermine the confidence that clients, shareholders and partners have in an organization. Negative coverage in the press and on social media can negatively affect the perception of companies’ brands, and a quick Google search is all that’s needed to see the damage done to organizations’ credibility. Earlier this year, an NHS employee sent an email to executives containing sensitive personal data regarding 24 NHS employees – who were all copied in on the message.

Looking to the future, organizations will have to adopt security solutions that help reduce the risk of human error. Tessian’s Guardian filter allows enterprises to take control over the errors that happen on email. When a technological solution lets system administrators automatically notify the sender in real time that they are in danger of making an error by sending an email to the wrong person, that organization is in a more secure and stable place.

Speak to one of Tessian’s cybersecurity experts today, and learn whether we could help your organization.

Human Layer Security

The Ultimate Guide to Human Layer Security

By Tim Sadler
24 January 2020

There’s a big problem in cybersecurity. Despite over 3,000 products in the market, data breaches are at an all-time high. Businesses are at risk of insider and outsider threats, with a reported 67% increase in the volume of security breaches over the past five years. Worse still, this increase in security breaches is happening despite organizations spending more than ever to protect their systems and data, up from $1.4 million to $13 million. Why is this happening? Businesses haven’t been protecting their most important asset: their employees. Historically, email security solutions have layered defenses first on top of networks, then devices, and finally cloud applications. The majority of these solutions provide blunt protection, or rely on retroactive threat detection and remediation, which leaves obvious (and unfortunate) gaps in a business’ armor. So, when you can get a firewall to protect your network, and EDR to protect your devices, what do you get to protect your people?

What is Human Layer Security?

Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. We created this category over a year ago, and it was the thesis for our Series B fundraise. Since then, we’ve seamlessly deployed Tessian solutions to customers across industries from SMBs to multi-national enterprises, and are now detecting and preventing millions of inbound and outbound threats on email.

Why do we need Human Layer Security? Your employees now control both your systems and your data and, the fact is, people make mistakes, people break the rules, and people can be hacked. It’s no wonder that 88% of data breaches are caused by human error, with AIG reporting “human errors and behavior continue to be a significant driver of cyber claims.” After all, employees can transfer millions of dollars to a bank account in a few clicks and can share thousands of patient records in an Excel file via a single email. Instead of expecting people to do the right thing 100% of the time, we think it’s better to preempt these errors by detecting and preventing them from happening in the first place. Each of our solutions – Tessian Enforcer, Tessian Guardian, and Tessian Defender – is uniquely positioned to do just that, and these solutions can be explored by the specific type of human error they protect against. People break the rules Whether done maliciously or accidentally, people in every organization can and do break the rules. Those rules can be related to anything, from a password policy to how sensitive information is stored. But, what about rules related to data exfiltration? Oftentimes, employees are blissfully unaware of policies related to – and the risk associated with – sending emails containing work-related information to domains outside of their own organization. Take, for example, an employee who sends a file to their personal email account so that they can work from home over a long weekend. Sometimes, though, work-related information is extracted with more nefarious intent and, unfortunately, this can happen in even the most secure environments. Case in point: In late-2019, an employee at a cybersecurity and defense company sold 68,000 customer records to scammers. This isn’t an isolated incident, either; more than half of UK employees admitted to stealing corporate data. A quarter of those would be willing to do so for less than £1,000.

People make mistakes To err is human and, entrusted with both systems and data, employees put themselves in decidedly vulnerable positions as they maneuver dozens of human-digital interactions each day. From a simple typo to a misconfigured firewall, mistakes are inevitable in the workplace. Unfortunately, though, the consequences of these mistakes are far-reaching. If an employee accidentally fires off an email containing sensitive customer data to the wrong person – otherwise known as a misdirected email – penalties and fines could be incurred, customer trust could plummet, and reputational damage could be long-lasting. And those are just the consequences to the larger organization. Individuals will likely suffer, too, with misdirected emails no doubt causing employees and supervisors tremendous anxiety and even putting them at risk of being terminated.

People can be hacked Businesses of all sizes work with a web of suppliers, contractors and customers spanning different time zones and regulatory environments. As a result, we’ve seen a rise in targeted spear phishing attacks where cybercriminals are convincingly impersonating internal and external contacts. Worse still, the odds are against businesses and their employees. While a hacker only has to get it right once, we are expected to get it right every time. So, what happens if one employee is successfully tricked one time by a spear phishing email and wires money, shares credentials, or otherwise acts as an entry point for a bad actor to gain access to your network? With the average cost of a data breach in the United States climbing to $8.19 million in 2019, the company will likely take a hard hit, especially with the sharp increase in GDPR fines.

Why focus on email? To be truly effective, Human Layer Security must protect all human-digital interactions within the enterprise. This is a massive remit. So, Tessian started with email, because it’s the most popular (we spend 40% of our time on it) and riskiest (most breaches happen here) communication channel.

But why is email currently so poorly protected and how does Tessian fit into larger security frameworks to keep your people and your data safe? Rule-Based Technology Traditional email security solutions are static, disruptive and admin-intensive. Some demand that employees manually classify every email based on sensitivity or tag all emails being sent to external contacts; this is time consuming and not reliable. (Alert fatigue is real.) Others may require that employees encrypt emails, which adds friction and slows the pace of business. These older technologies can’t be configured to adequately defend against all the ways people make mistakes or cut corners on email. Training Aware of these tech shortcomings, most companies layer in security training. The hope is that through a combination of training and policies, employees will adopt secure behaviors. Unfortunately, though, two thirds of employees are not regularly trained about cyber threats on email, which is the #1 threat vector in an organisation. What’s more, a significant percentage of those who are trained don’t retain what they’re taught. Training is incomplete, irregular and doesn’t stick. Hence the need for HLS. Human Layer Security In addition to policies, training, and other security solutions, organizations need an extra layer of security. Human Layer Security works by understanding and adapting to human behavior without compromising productivity. This is only made possible by machine learning (ML), and Tessian built our HLS platform out of the gate using stateful ML. We built our outbound email protection first, and leveraged the email data from hundreds of customers (with their consent, of course) to build our inbound threat stack. Our stateful ML models analyze historical email data in order to understand human relationships and communication patterns. Once we know what normal and abnormal look like, Tessian can automatically predict and prevent security breaches.

How is Tessian using machine learning to secure the human layer on email? We get it—ML/AI are used often and interchangeably in the cybersecurity space. But, the simple truth is that a solution built on ML enables better email protection because ML models get smarter and better over time as more data is ingested. Tessian’s Human Layer Security platform consists of intelligent and fully customizable email filters. For every inbound and outbound email, our filters analyze a vast array of data points in real time to create a comprehensive assessment of the correspondence. In the simplest terms, to determine whether an email is safe or unsafe to send/receive, we examine: Relationship History: Analyzing past and real-time email data, Tessian has a historical view on all email communications and relationships. For example, we can determine in real time: if the wrong recipient has been included on an outbound email; if a sensitive attachment is being sent to a personal, non-business email account; if an inbound email with a legitimate-looking domain is a spoof by detecting an unusual IP address.on Content & context: Using natural language processing to analyze historical email data, Tessian understands how people normally communicate on email and what topics they normally discuss. As a result, our filters automatically detect anomalies in subject matter (i.e. project names) or sentiment (i.e. urgency), which might indicate a threat. Tessian understands and adapts to how people work, so it can prevent threats before they happen. It gets out of the way so people can proceed confidently with business as usual without being slowed down, or having to add threat detection to their to-do list. First, you protected our networks. Then, you protected our devices. Now, you can protect your people with Tessian’s Human Layer Security.

Behind the “Fat Finger”: all you need to know about misdirected emails

What is a misdirected email?

So what kinds of errors actually lead to misdirected emails?