According to the 2019 Adobe Email Usage survey, US employees spend over 200 minutes each day checking their work inboxes. Email remains a vital form of communication across all industries.
But all too often, people slip up and send an email to the wrong recipient. This can lead to miscommunications, and it can damage the reputation of the company. Worst of all, some misdirected emails contain sensitive data, and they can seriously endanger workplace security.
The question is, why would an employee send an email to the wrong person? Let’s go through some basic scenarios.
How Emails Get Misdirected
1. Incorrect Email Address
When you enter an email address manually, it’s easy to make an error. Typos are a fact of life, and it’s also possible to mishear an email address or to accidentally choose the wrong one from a list.
Email clients like Gmail and Outlook offer an autocomplete feature for email addresses. As you start typing the recipient’s address (or name), you’ll see a list of suggestions based on your contacts.
This significantly decreases the risk of typos - however, there’s a chance you might choose the wrong recipient from the list. In this case, the email goes to someone you already know whose name is similar to your intended recipient’s.
2. Misuse of “Reply All”
In one-on-one correspondence, it’s easy enough to keep track of who you’re talking to. But things are more tricky when the conversation involves multiple people.
There are three ways to send the same email to more than one recipient:
● Use the “To:” field. When you’re entering the recipient’s address, you can simply add more than one recipient (separate the addresses with a comma). In this case, everyone you message will be able to see each other’s email addresses. If you want to start a conversation with multiple people, this is the option to use.
● Use “Cc:” (carbon copy). You can select this option in the “To:” field. Carbon copies are used in situations where you don’t necessarily expect a response but merely want to send information. The recipients can still see each other’s email addresses. They can reply, but it’s implied that they don’t need to.
● Use “Bcc:” (blind carbon copy). This option is similar to sending a carbon copy. The key difference is that the recipients don’t see each other’s email addresses, they only see the sender’s.
Unfortunately, many people confuse Cc: and Bcc: and this can lead to a lapse in both security and etiquette. For example, you may reveal your business partners’ email addresses to each other, causing a breach of trust. When in doubt, use blind carbon copy.
But where do misdirected emails come in?
If you’ve received an email that was sent to multiple recipients with visible addresses (that is, the sender used “To:” or “Cc:”), you’ll have two reply options to choose from.
● Reply sends an email only to the sender. You can manually add other recipients if you like.
● Reply All means you are messaging everyone involved in the conversation.
Be mindful of the difference! If you select Reply All, you may accidentally send sensitive information to people who aren’t authorized to see it.
Plus, if you use Reply All thoughtlessly, you are wasting your coworkers’ time with information they don’t need. It is considered rude and annoying. Widespread, simultaneous misuse of Reply All even has a name - it’s called an email storm or a “reply-allpocalypse”.
Microsoft has rolled out a form of protection against this: it is now possible to remove the Reply All button in Outlook.
Note: The original sender of the email can prevent email storms by using Bcc: in the first place. This is the best option for company-wide announcements that don’t require discussions.
3. Emails Sent to Scammers
While many emails get misdirected by sheer accident, there are also email scams to consider.
We often respond to emails automatically, without looking closely at who sent them. For example, if a message seems to be from a coworker, we don’t take extra measures to verify their address.
But cybercriminals can use email spoofing to message us from addresses that seem legitimate. This is how they get away with BEC attacks or spear-phishing.
Always take a moment and check whether you’re responding to the right person. If they aren’t in your contacts yet, that could be a warning sign. In case you’re sending very sensitive information (or agreeing to a significant money transfer), phone the sender directly to check whether the email message is legitimate.
What Can Companies Do to Decrease the Risk of Misdirected Emails?
Once again, mistakes can happen to anyone, including the most experienced, careful employees. But they don’t happen in a vacuum - many different factors can increase the risk of misdirected emails.
If you’re a manager, there are many ways you can lessen the risk of this happening in your company. Here are a few approaches to consider.
● Adequate training in cybersecurity and email etiquette.
Some common mistakes - like the reply-allpocalypse - come from employees’ lack of knowledge. This is easy enough to remedy. Seminars on email-related best practices are a good place to start.
● Restrict when and where employees access their work inbox.
According to Statista, around 76% of US white-collar workers occasionally check their work email outside of normal work hours.
But this can easily lead to distracted emailing. Mistakes happen easily when an employee is on call all the time - it endangers their mental health and negatively impacts their ability to focus on the task at hand.
This is part of why many workplaces forbid their employees to sign in outside of work hours.
● Create a stress-free work environment.
It’s well-documented that people make more mistakes under stress. For example, a study has found that “during stressful moments in the operating room, surgeons make up to 66% more mistakes on patients”.
In an office setting, stress may be the result of large workloads, steep deadlines, bad communication, etc. But there’s also the pressure that employees feel to respond immediately to every email.
By making it clear to your team that you don’t expect immediate responses, you can encourage them to read their messages carefully before sending. Consider setting up a company-wide standard response time policy, and make it clear that accuracy is more important than speed.
● Filter outgoing emails.
Gmail and Outlook both have spam filtering functions. This protects your employees’ inboxes from (some) junk emails and cyberattacks. However, it does nothing to stop misdirected emails sent from your organization.
This is where third-party email security services come in. These scan every attempt to send an email from your employees’ work inboxes. If the recipient (or the content of the email) seems suspicious, the email gets blocked.
Mistakes are a part of life. But some workplace mistakes have disastrous consequences.
Misdirected emails are a good example of a banal mistake that can cause dangerous data leakage. It’s important to discuss how these errors happen and what we can do to stop them.