What is a Misdirected Email?

A misdirected email, also known as a misaddressed email, is an email sent to an incorrect recipient due to inadvertent human error.

How can a misdirected email occur so easily?

  • Spelling mistakes: Incorrectly spelling the email address of a recipient is one of the most basic causes of a misdirected email. One incorrect key press can result in an email intended for [email protected] being sent to [email protected].
  • Autocomplete: We almost never manually type email addresses into the recipient fields of an email client and instead rely on the speed and convenience of the autocomplete function. Whilst autocomplete is a massive productivity boost, it makes it extremely easy to add the wrong recipient to an email.
  • To/Cc instead of Bcc: A common cause of misdirected emails is neglecting to Bcc when sending an email to a large recipient list thus exposing the identity of all of the recipients on an email to one another. This can be particularly damaging if the content of the email contains highly sensitive data (e.g. a mailing list for HIV positive patients).
  • Accidental 'Reply All': Mistakenly using ‘Reply All’ instead of just ‘Reply’ can have potentially disastrous effects, and cause emails and information be delivered to a wider audience than intended.

Misdirected emails, data sent by email to the incorrect recipient and failure to use BCC, were responsible for more data leaks than any other category reported to the Information Commissioner’s Office (ICO) in 2017.

—  Source of information: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/

What are the consequences of misdirected emails?

  • Non-compliance: Many emails contain highly sensitive information that regulated organisations have an obligation to protect. For law firms, this might be client-privileged data related to a legal matter whereas for pharmaceutical companies this could be healthcare records or patient data.
  • Regulatory fines and penalties: Data loss through misdirected emails can easily result in companies breaching their regulatory obligations. With increasingly stringent data protection regulation like GDPR, organisations will face mandatory breach reporting obligations and could face fines of up to 4% of annual global turnover, or €20m, whichever is greater.
  • Loss of trust and reputation: Data loss can significantly undermine the confidence that clients, shareholders and partners have in a company. In extreme cases, data loss events can lead to irreparable damage to a company’s reputation and a direct loss of revenue and clients.

With many countries introducing stricter data protection laws, like the upcoming General Data Protection Regulation (GDPR), the recently introduced Notifiable Data Breaches (NDB) scheme in Australia, or the well established Health Insurance Portability and Accountability Act (HIPAA) regulation in the US, the margin for error with misdirected emails is growing ever slimmer.

About Tessian

Tessian is building the world’s first Human Layer Security platform to fulfil our mission to keep the world’s most sensitive data and systems private and secure. Using stateful machine learning to analyze historical email data, Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat?

Book a demo to learn more about our email security platform.