The dangers of missent emails

Missent emails are one of the most common sources of security incidents in the workplace. According to software company Tessian, as many as 177 emails per year are sent to the wrong person in small and medium-sized businesses.[1] For large enterprises (i.e., 10,000 employees or more), their personnel are sending company data to unauthorized or personal email accounts nearly 200,000 times a year.
 
There are many ways an email can be sent to the wrong recipient. For instance, it could simply be the result of a typographical error. When typing the email address of a recipient, one wrong character could direct the message to someone else. Instances where an “o” is replaced with a “0,” or an “l” with a “1,” are good examples.
 
Another way for an email to be mistakenly sent out is when one relies too much on the mailing platform’s auto-complete feature. While designed for user convenience, particularly within an organization, auto-complete is also susceptible to making the wrong recommendation. Frequently, this is how it plays out: the user inputs the first few letters of the intended email address, or at least the name of the intended recipient; a dropdown menu appears; the user gets to choose the correct email address and presses “Enter”; sometimes, the user makes his choice in a hurry, without actually making sure the correct email address has been selected. By the time the mistake is realized, the message has been sent out.
 
Sometimes, the culprit is another feature of email platforms—the reply-to-all function. What usually happens is that there would be a long email thread, consisting already of several exchanges between multiple people. At some point, a user has the intention of responding only to one person, but then inadvertently clicks on the reply-to-all option, thereby sending his email to everyone in the thread. This scenario can get a whole lot worse when a mailing list is involved. In 2015, media company, Thomson Reuters, experienced a slow-down in operations as a consequence of a reply-all storm that clogged the inboxes of 33,000 employees.[2]
 
While slow-downs can be inconvenient, another side of missent emails that is of greater consequence are the ways their content can be misused if they happen to be confidential or sensitive personal data.
 
A missent email may compromise the security and confidentiality of data in several ways. The most immediate of which is by exposing directory information. In this scenario, the act of sending the email alone will instantly reveal the basic details found in an email’s address line and signature. Right away, the recipient will know about the nature of the email exchange, which may or may not also contain personal data.
 
Next, the email body itself may contain confidential information. It may contain financial data, performance ratings, disciplinary proceedings, trade secrets, business plans or any such data that may be used against the organization if it falls into the wrong hands. Additionally, should it be known to the data subjects or the public that such an incident occurred, this will call into question how much the organization values privacy and data protection.

If it’s not its main content, a missent correspondence may be accompanied by a file containing sensitive personal data that could potentially be used in unauthorized or unlawful ways (e.g., hacking, identity theft and other types of fraud, etc.). They can also be sold or used for blackmail or extortion.
 
Aside from security and confidentiality, the other immediate consequence of missending an email is its lack of availability to the intended receiver. This may be critical should it involve urgent and pressing matters that will not be accomplished absent the expected email or its contents.
 
To avoid the dangers posed by missent emails, the simplest and surest solution is to always double-check the email address of one’s recipient. Right before clicking the “send” icon, look into the address bar and make sure there are no spelling errors. Check the CCs and BCCs fields and clear them of any unintended recipients. Even when sending an urgent message, taking the time to make sure everything is okay. When attaching files containing confidential or sensitive personal data, it is generally advised that they be encrypted. This way, even if an email reaches the wrong individual, the data will not be accessible to most people.
 
Should one fail to execute that crucial first step, retracting the email may be available for a time, depending on the email platform in use. Gmail, for instance, allows a user to set a period within which the sending of an email may canceled. Microsoft Outlook, on the other hand, allows the sender to completely retract an email as long as it has not yet been read. Naturally, one has to be alert enough to realize one’s mistake if these features are to be useful.
 
If one misses the opportunity to cancel or retract a missent email, the final option is to notify the unintended receiver and politely request him to refrain from opening the same, and to just delete it at once. Ideally, one must secure their confirmation that the email has indeed been erased—although it’s nearly impossible really to make certain it is carried out. In certain cases, it may also be necessary to inform the intended recipient and/or any person whose data was compromised of the mistake. This is supposed to embody transparency and accountability on the part of the organization, which should benefit it in the long run.
 
There is no fail-safe way to avoid missending emails. But if we observe the foregoing precautions, then it is a risk that can at least be minimized.
 
While sending an email may seem like one of the most mundane tasks we do at work, it is also one of the most important. Its repetitive nature tends to breed complacency and it is precisely for this reason that we should be more careful when doing it. It would require a bit more effort, sure; but it could also save us from undesirable repercussions that are often harder to handle.