Remote work is the new default. What are the main cybersecurity threats that come with working from home, and how can employers best address the...
Damage Control 101: What to Do If You Send an Email to the Wrong Person
Anyone can slip up and send an email to the wrong recipient. Learn how to deal with this problem if it occurs in a professional context.
Each day, over 300 billion emails get sent worldwide. A surprisingly high percentage of these messages never reach the intended recipient and instead land in someone else’s inbox.
When you type in the wrong email address or choose the wrong autocomplete option, your email gets misdirected. Another way to misdirect emails is to select too many recipients - this is what happens when you choose Reply all instead of Reply in a group conversation.
Anyone can make these errors, and in most cases, you won’t even notice anything’s wrong until the consequences start unfolding. But if you do realize you misdirected an email, you get the chance to do a bit of damage control before the situation spirals out of your control.
Step Zero: See if you can undo or recall sending the email.
If you use Gmail, you may have a grace period of 5-30 seconds after your email goes out, depending on your account settings. If you see a pop-up asking whether you want to Undo sending the message, click on it immediately. The email will go back to your Drafts without ever reaching the recipient.
For people using Outlook.com, this delay lasts only 5-10 seconds, but with the Outlook app, you can set up a Rule that gives you more time to undo a message before it gets sent (up to two hours).
Did you send the email to someone in your workplace/organization, and are you both using the Outlook app? If so, you may be able to Recall the message. This option lets you change or delete messages that have already arrived in your coworker’s inbox, assuming the email hasn’t been opened yet.
Go here to learn more about unsending emails. The most important takeaway is that you should change your email settings right now to make sure you have the biggest possible window of opportunity to fix your mistake before it does irrevocable damage.
But what happens if your email goes out, and you can’t take it back?
Step One: Assess the damage.
Start with figuring out how the email may get used against you. What kind of data was included in the message? In what ways can it cause harm to you or your company’s reputation? Did you say anything insulting or incriminating? If there were any attachments included, do they contain sensitive data?
If you used CC (carbon copy) to message multiple people at once, they can all see each other’s email addresses. Think about what the unintended recipient can do with that information.
In some cases, you type in the wrong address and the email lands in a stranger’s inbox. If you’re not sure, find out who the recipient is. A memorable example of this kind of error happened in 2018, when the Commonwealth Bank of Australia misdirected emails containing the sensitive data of over 10,000 clients. Instead of cba.com.au (their own domain), they sent messages to the domain cba.com, which belongs to a company in the US.
Of course, it’s also common for misdirected emails to go to someone who’s already in your contacts. This happens when you choose the wrong address from the autocomplete options that Gmail or Outlook offer. You might end up sending client data to a competitor or even a journalist. Be realistic about what they can do with the information you let slip.
Step Two: Notify your data security team.
Although it’s embarrassing, you can’t keep this kind of mistake to yourself. Misdirected emails are a form of data loss, and it’s important to let the security experts know what happened. Do this even if it seems like the email didn’t contain anything harmful or confidential.
Step Three: Consider whether you should follow the message up with an apology to the recipient.
Do you need to message the recipient and tell them that the message was a mistake?
It depends on the circumstances. Some prefer to stay quiet, or to send a short email saying something like “MESSAGE REDACTED”.
Depending on the company culture you’re dealing with, you could also apologize for sending private information and ask them to delete it. Use words like “private” and “confidential” (even if the email isn’t all that sensitive in nature). Understand that they won’t necessarily do what you ask. While it’s good etiquette for the recipient to delete the information they have received by mistake, they don’t have a legal obligation to do so.
Instead, place the focus on your company and anyone else whose information you may have leaked.
Step Four: Notify anyone who may be impacted, and be prepared to face the consequences.
A simple mistake can lose your company a client, but even more importantly, it can make you legally liable for leaking information. It depends on the content of the email, as well as the data protection laws in your region.
If the email you sent contains sensitive or private data from your clients/business partners, there’s no way to avoid repercussions. You need to alert the people impacted about the data leakage. Consult with your legal team as well, and find out whether you need to notify state authorities.
According to GDRP Article 33: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” You have a responsibility to take reasonable steps to protect sensitive client data, and that includes any emails you may send by mistake.
Prevention Is the Only Good Option
Back in 2014, Goldman Sachs took Google to court over misdirected emails. Goldman Sachs sent private client data to a gmail.com address instead of their own domain (gs.com). The case reached the New York State Supreme Court, and eventually, Goldman Sachs got lucky. Google was willing to delete their misdirected emails, which the recipient hadn’t even opened.
But Google acted without being compelled by the court, which means that no precedent was set. There are no other notable cases of misdirected emails getting deleted on request, and you certainly don’t have the law on your side if you send a message to the wrong person. The only thing you can do is rely on the goodwill of your recipient... and start preparing for any fines you may need to pay, or any uncomfortable questions you’ll have to answer.
It’s clearly in everyone’s best interest to reduce the risk of misdirected emails. This is why we created Preava Prevent, an extension that scans drafts when you are writing them.
Preava Prevent uses predictive behavior modeling to check whether the email you’re writing fits your normal messaging patterns. This will help you avoid mistakes like typing in the wrong domain name, and it can save you from embarrassment and worse.