In light of its prevalence, email is often fraudsters’ preferred channel for cybercrime: From hacking users to selling sensitive data on the dark web to forging a c-level identity and deceiving staff into wiring large sums of money to fraudulent bank accounts.
Interestingly, however, the majority of breaches are not due to outsiders or malicious insiders. In a Ponemon Institute survey, 54% of respondents reported staff negligence as the cause of data leaks in their organization during FY 2017. Accidental emailing is a prominent example of such human errors. Let’s take a closer look.
What is accidental emailing?
Accidental emailing happens when you or your staff contact one or more recipients unintendedly or send confidential information, being an attachment or something else, by mistake. These incidents occur for various reasons.
Professional contact lists, especially in large organizations, can be massive. Employees interact daily with many customers, suppliers, and colleagues, some of them potentially having the same names, aliases, email addresses, or seemingly confusing ones — [email protected], [email protected], [email protected], [email protected], among others. These similarities, coupled with stress, sloppiness, and AutoComplete can generate turmoil in the TO and CC fields.
Additionally, so many files — e.g., proposals, contracts, customer forms — fly in and out companies with confidential information often ending up in the wrong hands, as when an attachment containing the private details of thousands of citizens were shared unintentionally during a tender process. While it is hard to say what went wrong exactly, the document may have been renamed several times or existed in multiple versions, hence possibly causing the mixup.
Should accidental emailing be everyone’s concern?
You can surely recall a time when you sent or received an email by mistake. Probably the incident was closed with a follow-up note apologizing and requesting the recipient(s) to delete the message and file(s) attached to avoid further propagation.
But things do not always end that well, and an error may resurface when least expected and get featured in the media. That is what happened to a top law firm who inadvertently communicated privileged client information to the Wall Street Journal, despite asking and receiving confirmation that the reporter had erased the material.
Of course, the adverse impact of accidental emailing depends on different factors. Generally speaking, data breaches are more likely to happen and be harmful to your organization when staff members work with:
– Many external recipients, e.g., agencies, suppliers, customers, job candidates, journalists, etc.
– Numerous files, especially those containing personally identifiable information, commercial data, and intellectual property
– A large number of recipients at once in the TO and CC fields as it becomes harder to detect erroneous email addresses
How can businesses prevent breaches due to accidental emailing?
You can try recalling your message after hitting the Send button, but this will only work for unread emails. Also, recall requests typically leave a trace in the form of a notification to recipients informing that you or another sender is trying to fix a mistake.
For these reasons, the best way to reduce the risk of accidental emailing is usually prevention. Corporate policies, security awareness, and training can help. You might, for example, require newcomers to follow a course about acceptable emailing practices in your organization depending on roles and job responsibilities. You could also keep everyone alert by curating news stories where accidental emailing is the source of a severe breach and including those in your company newsletter.
But the challenge with human errors is that they occur when senders have their guard down, in the middle of a stressful working day or when a deadline is due soon. In such instances, businesses can rely on tactics like message delaying, giving the possibility to users to cancel faulty communications during a short period.
Alternatively, you might implement data loss prevention (DLP) processes asking users to review recipient lists with potential mistakes — e.g., personal email addresses, unfrequent contacts, etc. — or flagging attachments with sensitive details inside such as social security and credit card numbers.
Bottom line: While accidental emailing may not be the most salient source of data breaches, it can cause real damages to organizations of all sizes unless adequately considered and mitigated as a threat.