Insights
INSIGHTS
All Topics
How to prevent misdirected emails
30 Apr 2021by Paul Rubens
We look at one of the most common causes of charity data breaches
Data breaches can be hugely costly to charities, both in direct financial terms, and also in terms of loss of trust and loss of reputation. That’s one of the key reasons that charities should take strenuous cyber security measures to mitigate the risk of a data breach caused by cyber criminals.
But it’s important to remember that cyber crime is not the most common cause of breaches of private information. The Information Commissioner’s Office data shows that in fact the most common cause is misdirected emails.
What is meant by misdirected emails?
In the most simple terms, a misdirected email is an email message or an attachment that ends up being sent to one or more people that were not intended recipients. There are three common ways that that can happen:
1. A user sends an email to the wrong email address. This can happen if an email address is typed in incorrectly (johnsmith@domain.com instead of jonsmith@domain.com), or if the user simply chooses the wrong person to email (for example the chief executive of one company instead of another company).
In order to help reduce the incidence of typos in email addresses, many email programs such as Outlook have an “autocomplete” feature which suggests and fills in the rest of an email address after the first few letters have been typed. Unfortunately, autocomplete can actually cause as many misdirected emails as it prevents, because it is all too easy to allow it to fill in an email address without noticing that it is not in fact the intended one.
2. A user clicks on “Reply to all” instead of reply, thereby replying to the sender of an email without realising that they are sending the email to potentially hundreds of other people. A user may also use “Reply to all” without noticing that more people have been added to the CC field than may have been the case earlier in the email conversation.
A variation of this is when a user sends an email with many email addresses in the Cc field when they should have been in the Bcc field, thus breaching the privacy of the people whose email addresses have been publicly shared.
3. A user sends an email to the intended recipient, but adds the wrong attachment. It is very easy to click on the wrong file to attach to an email, and when this happens it is unlikely to be detected before it has been sent.
Why are misdirected emails such a big problem?
Misdirected emails account for so many data breaches because of the sheer scale of email communications. To get it into perspective, more than 300 billion emails are sent every day. According to statistics compiled by email security company Tessian, organisations with more than 1,000 employees send around 800 misdirected emails every year, or over two per day, on average.
Of course not every misdirected email leads to a data breach, but emails containing the wrong attachment appear to be most worrying. Tessian research found that almost a third of misdirected emails caused legal issues for the organisation that sent it, perhaps because attachments by their very nature tend to contain more information, expressed more formally, than the typical contents of an email message.
Related Articles
What can your charity do to prevent misdirected emails?
Perhaps the most important thing your charity can do is highlight the problem of misdirected emails to staff. That’s to make sure that they understand the importance of paying attention to the email addresses that they enter and the files that they attach, and the consequences of making mistakes. In practical terms, this means staff need to check every email and attachment every time before they press “send”.
However, even the most conscientious people can and do make mistakes for a variety of reasons. 52% of people questioned by Tessian said that they tended to make mistakes when tired and, worryingly, 93% said that they were in fact tired at some point during a typical working week.
Below are some other steps to consider.
Taking control of autocomplete
Despite being intended to cut down on typos in emails (as well as making email address entry quicker and easier), the autocomplete feature of many email programs is a key cause of misdirected emails. Here are some things that staff can experiment with to reduce the likelihood of misdirected emails:
- Remove unwanted entries: One way to reduce autocomplete errors is to watch for inappropriate autocomplete suggestions that pop up, and then delete them so that they are no longer suggested for autocompletion. This can be useful if an email program frequently suggests the email address of someone that may only have been in correspondence once, but whose name is similar to someone who is in frequent email contact
- Temporarily disable autocomplete: Another way to reduce the autocomplete problem is to disable it when dealing with particularly sensitive or confidential information, and then re-enable it later
- Disable autocomplete permanently: A more radical approach is to disable the feature altogether – although there is the risk that this will introduce more typo errors than the number of autocomplete errors that are avoided
Add a send delay
A different tactic for reducing misdirected email errors is to add a delay between when a user presses “send” and when the email is actually sent by the program. In the meantime the email is held in an outbox, providing an opportunity for a user to check that they have not made any mistakes – especially if they realise after they send an email that they have made a terrible mistake.
Email checking software
Perhaps the most effective way of preventing email misdirection, but also the most expensive, it to use email checking software which is available from a number of vendors including Tessian and DocsCorp.
These programs work in a number of ways, but essentially they look at recipient email addresses and use a simple form of artificial intelligence to assess if messages are “high risk” and need to be checked before sending. For example, an email sent internally to a colleague is likely to be assessed as lower risk that one sent to an external company address or an address at a public provider such as Gmail. The programs also allow users to blacklist certain addresses so that warnings are always issued before email is sent to them.
More on this topic
Recommended Products
31 Oct 2024by Laura Stanley
What cyber certification can do for charitiesSponsored Article
30 Oct 2024by Jane Waterfall
A charity guide to maintaining Cyber Essentials all year roundSponsored Article
14 Oct 2024by Laura Stanley
How to make your social media a trusted voiceSponsored Article
Our Events
Digital Fundraising Summit 2024
For the sixth year in a row, we're bringing back an action-packed event filled with Digital Fundraising insights from the charity and tech sectors. Join us on 7th October 2024 for a free, one-day online event featuring informative webinars and interactive workshops.
© 2022 Charity Digital Trust. All rights reserved
We use cookies so we can provide you with the best online experience. By continuing to browse this site you are agreeing to our use of cookies. Click on the banner to find out more.
