Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
DLP

What is a Misdirected Email?

  • 05 March 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

Misdirected emails are common — sending an email to the wrong person is an easy mistake. Who hasn’t done it? But they can also be disastrous, potentially damaging a company’s reputation, revealing its confidential data, and breaching its customers’ privacy.

If you’re looking for a solution versus an explanation of the problem, we’ve got you covered. Learn more about how Tessian Guardian prevents misdirected emails.

How common are misdirected emails?

Many of us have been using email daily for our entire working lives. In fact, around 4 billion people use email regularly, sending around 306.4 billion emails every day.

That explains why misdirected emails are such a major problem. According to research, 58% of people have sent an email to the wrong person while at work, with 20% of recipients stating that this action has lost their company business — and 12% stating that it cost them their job. 

And according to Tessian platform data, organizations with over 1,000 employees send around 800 misdirected emails every year. That’s more than two emails a day. It’s also the most common type of error to cause a breach, according to Verizon’s 2021 DBIR

Indeed, year after year, the UK’s Information Commissioner’s Office reports misdirected emails as the number one cause of data breaches. And the latest breach data from California also shows that email “misdelivery” was the most common type of data breach caused by human error.

Looking for some examples? Check out this article: 7 Data Breaches Caused by Misdirected Emails.

Why do misdirected emails keep happening?

So — why do we keep making this mistake? 

Well, the problem is partly down to burnout. Around 52% of people say they were more likely to make mistakes while tired — and 93% said they were tired at some point during the working week.

But there are some technical issues that lead to misdirected emails, too.

Spelling mistakes

Email is “interoperable,” meaning that, for example, Gmail users can email Outlook users without issue. In fact, any two people can email each other, as long as they have internet access. So this communication method is highly flexible — but also open to sending errors.

Need to email your payroll data/passport photo/HR file to rob.bateman@companyA.com? Make sure you don’t accidentally type “rod.bateman@companyA.com”, or worse — “rob.bateman@companyB.com”.

The “To” field takes us back to a time before spellcheck began correcting our mistakes without us even noticing. One wrong letter can lead to a data breach.

Autocomplete

When you’re typing an email address into Gmail, Outlook, or any other popular email client, you may notice the “autocomplete” function trying to finish it off for you.

Autocomplete can be a very useful feature when you email the same person regularly. But autocomplete can also lead to misdirected emails.

Autocomplete can lead to misdirected emails when: 

  • You start typing in the “To” field.
  • You see the autocomplete function completing the recipient’s name.
  • You press “Tab” or “Enter” — without checking whether autocomplete has chosen the right recipient from your address book,

Productivity guru Cal Newport estimates that we send and receive around 126 email messages per day — so features like autocomplete save businesses significant amounts of time. But the impact of one misdirected email can undo these benefits.

Bcc error

Bcc (which stands for “blind carbon copy”) lets you hide recipients when sending an email. 

There are a few benefits to using Bcc, but its most useful function is when emailing a large group of people. If you don’t want any of the recipients to know who else got the email, you can put them all in the Bcc field.

Mailing lists are covered by data protection laws, such as the EU General Data Protection Regulation (GDPR). In most cases, each recipient of an email has the right to keep their email address private from the other recipients. 

That’s why accidentally using the “Cc” or “To” field instead of the “Bcc” field can constitute a data breach.

Indeed, in January 2020, speaker company Sonos referred itself to the UK’s data regulator after an employee accidentally copied 450 recipients into the Cc field.

The dreaded “Reply All”

Here’s one almost all of us have done before — hitting “Reply All” on an email to multiple recipients when we only meant to email one person (e.g., the sender).

In most cases, accidentally “replying to all” is little more than an embarrassment. But consider Maria Peterson, who, in 2018, accidentally replied to all of Utah’s 22,000 public sector employees.

Misattached files

Misattached files and misdirected emails aren’t the same things — but misattached files (attaching the wrong file to an email) deserve a dishonorable mention in this article. 

Around one in five emails contains an attachment, and Tessian research reveals some troubling data about this type of human error-based data breach:

  • 48% of employees have emailed the wrong attachment
  • 42% of misattached files contained company data or research
  • 39% contained authentication data like passwords
  • Misattached files caused the offending company legal issues in 31% of cases

Looking for a solution? We have one. 

Next steps

We’ve looked at five types of misdirected email, and hopefully, you understand how serious a problem misdirected emails can be.

To find out how to prevent — or recover from — misdirected emails, take a look at our article: You Sent an Email to the Wrong Person. Now What?