This article discusses some practical steps to take if you’ve sent an email containing confidential information to the wrong person. (Conversely, read our article ‘What happens if I received a confidential email’ if you’ve been the recipient of a misdirected email.)
You may be able to recall the email in Outlook if you sent it internally to someone on the same domain as you and they haven’t opened it yet. In both Outlook and Gmail, you might be able to block the email from being sent if you use a time delay on outbound emails and are able to cancel it in time. Scroll down to the hyperlinks in this article for more information on these two options. Finally, if you’ve used message-level encryption to protect the email, depending on the software you used, you or an IT administrator within your organization might be able to revoke recipient’s access to the sent item.
As soon as you realize you’ve accidentally sent confidential information to the wrong person, you urgently need to inform a person who’s responsible for data privacy for your company. That’s usually someone in your Cybersecurity, Security, Risk, or Compliance team. They will be able to advise you on next steps, which may include informing your line manager.
It’s best to do this in a way that means they will know about it immediately, for example calling or video conferencing them, or notifying them via instant messenger (such as Teams or Slack). The sooner the right person in your company is aware of an email security incident, the sooner they can start to implement response measures to minimize any impact.
Their priority at this point will be to understand exactly what has happened, so you need to be able to tell your colleague(s):
- Who you sent the email to
- What sensitive data was contained within the email and any attachments
- When you sent the email
You will also probably be asked how the incident happened, including what device you were using. This question might come or be revisited later, depending on whether your company needs to run a fuller investigation.
Your company will contact the person you sent the email to, asking them to permanently delete the email and any attachments.
Can I unsend an email?
In short, no. Once an email has been sent, there is no real way to ‘unsend’ it. As mentioned above, there is a possibility of recalling an email in Outlook if it’s been sent to somebody within your organization on the same domain as you and if they haven’t opened it yet. If you use delay sending for outbound email in Outlook or Gmail and realize within the timeframe, you can cancel it.
We have two articles on our site that explain the technical requirements and steps you can carry out to recall or cancel emails under these circumstances:
If the misdirected email was sent externally (to someone on a different domain to you) or if it was sent internally but has already been opened, however, you won’t be able to recall the email in Outlook. Emails in both Outlook and Gmail can be scheduled to send later, so depending on the date and time you’ve scheduled an email for, you have a window of opportunity to cancel the email or correct your mistake. Additionally, Gmail allows senders to delay outbound emails by up to 30 seconds, however, if you realize your mistake after that time has elapsed, it won’t be possible to cancel it anymore.
Once an external email has been sent, it is not possible pull it back.
Preventing misdirected emails to stop future incidents
As the options to recall or block sent emails are so limited, the only real solution to misdirected emails is prevention.
The impacts of misdirecting a confidential email can be serious – and it happens regularly. In fact, independent research conducted for the Egress Email Security Risk Report shows that 91% of organizations have experienced outbound email security incidents. So, it’s sensible to protect both protect both yourself and your organization from potential breaches.
We’re all human and we all make mistakes, which means a solution needs to understand human behavior, without relying on people to realize their mistakes.
Another common but limited solution is to set up ‘static rules’ (e.g. you can send attachments to Company A but not Company B). But rigid rules don’t account for the way we actually work, and they can end up denting productivity. The only way to truly protect yourself from misdirected email is through advanced email security.
Egress Intelligent Email Security has two outbound email security solutions that help people to send the right email and attachments to the right recipients, with the appropriate level of protection:
Prevent uses unsupervised machine learning to understand each employee’s beahvior as they use email, such as who they communicate with and the types of content they share with them. When a risk is detected (such as an incorrect recipient), Prevent alerts the sender with a real-time prompt, enabling them to correct their mistake before an email is sent and a security incident has occurred.
As a combined solution, Prevent and Protect can automate email encryption for sensitive content to make sure it’s not accessed by an unauthorized recipient. Protect also allows senders and IT administrators to revoke access to sent emails, essentially recalling an email.
The person in your company who is responsible for email security can request a free, no strings attached demonstration of our Intelligent Email Security portfolio to learn how your organization can benefit from using Egress.