In the best case, emailing confidential information to the wrong person can be embarrassing. In the worst case, it can cause a major security incident that puts people at risk, jeopardizes an organization's reputation, and leads to remedial and legal action. If you have sent a confidential email to the wrong person, read our article ‘Accidentally sent a confidential email to the wrong address? Here’s what to do’.
Receiving a confidential email by mistake can cause some confusion about what to do or how to respond. There are several reasons this might have happened: you have a similar name to the intended recipient, the sender accidentally clicked ‘reply all’ on an email you were included in or autocomplete has automatically filled in your email address on their computer or phone.
These mistakes happen more often than you think; the Egress Email Security Risk Report shows that 91% of organizations have experienced outbound email security incidents. In the worst case, such incidents can result in people being put at risk, serious reputational damage, and significant financial losses. While ignoring the email and moving on with your life can feel tempting, it’s necessary to acknowledge the email mistake and let the sender know about it.
In this article, we'll explore some steps you can take to ensure you handle a confidential email properly and carefully if one accidentally lands in your inbox.
Do you know the sender?
Misdirected emails are not the same as graymail or spam, which are ok to ignore or delete. If emails from mass marketing lists meant for someone else irritate you, you could use Outlook to 'mark it as junk and delete' or block the sender.
On some occasions, you might have received an email intended for someone you know. For example, someone in your organization's finance team may have sent an email containing sensitive customer details you should not have access to. In this case, you should let the sender know that you have received an email by mistake and inform the person responsible for data privacy or information security in your organization. It is important that you delete the email from your inbox and sent items, and your organization may choose to ‘purge’ this from your mailbox as well.
If you receive a confidential email and don't know the sender, it can be more difficult to know what to do.
Should you respond if you accidentally receive a confidential email from a stranger?
Again, the best course of action is to respond to the sender and let them know they have made a mistake. This reduces the chances of them making the same mistake in the future and may help them to put measures in place to reduce any damage caused by a potential data breach.
You should also let someone in your data privacy, risk, or information security team know that you have received this information, as they may need to liaise with the sender’s organization in future. Finally, you will need to permanently delete any sensitive information.
How to avoid misdirecting your own emails
Intelligent email data loss prevention (DLP) technology is the best solution for avoiding misdirected emails altogether. Egress Prevent adapts to your behavior through machine learning and helps you to catch context-driven mistakes, such as adding the wrong recipient, attaching the wrong file, or using Bcc instead of Cc.
Unlike other types of software that trigger a static, one-size-fits-all alert every time an email is sent, users will receive a prompt only when a genuine mistake has occurred. This improves their experience and reduces 'click fatigue’.
If you or your organization don’t have a DLP solution, here are some steps that you can take to reduce risk:
- Double check the recipient email addresses in the Cc and Bcc fields, especially if autocomplete is enabled
- Ensure you haven't included attachments that contain anything sensitive or confidential, particularly in hidden tabs
- If you are replying to an email that has been sent to many other recipients, make sure you have selected 'reply' instead of 'reply all' if you intend to send the message to an individual
You may also choose to put additional measures in place to reduce the risk of these mistakes. For example, setting up static rules that hold the email in the outbox for a set time frame allows the sender to check that they have not made any mistakes. Or even going as far as to disable autocomplete in Outlook. However, these do not provide the same level of assurance as an intelligent email DLP solution and are more disruptive to the way you work.
Learn more about how Egress helps organizations stop data loss and reputational damage with Egress Prevent.