Data Loss Prevention

You’ve accidentally received a confidential email. What now?

by Egress
Published on 30th Apr 2021

Emailing confidential information to the wrong person can be embarrassing at best – and in the worst-case scenario it can be highly risky for both the organization and the individual involved. But what about when the shoe is on the other foot?

Here’s what to do when a confidential email meant for someone else lands in your inbox. 

Do you know the sender?

Of course, sometimes misdirected emails are simply spam and can be ignored or deleted. If you keep getting emails from mass marketing lists meant for someone else and it becomes irritating, you have a couple of options. Outlook and Gmail both have functions to ‘mark as junk and delete,’ plus you can block the sender.

There are other occasions when we might receive an email that was clearly meant for someone we know. For example, someone in your organization’s finance team might accidentally email sensitive customer data to someone in another department. Instances like these are surprisingly common, especially in larger businesses when autocomplete gets confused over similar names.

Things are obviously pretty easy when this happens within your own organization. You simply let the sender know you’ve received it by accident, then they can rectify their mistake and you can delete the email. When you don’t know the sender, but the email is clearly confidential and sensitive, things are little more complicated and you have a decision to make.

Should you respond?

From an ethical standpoint, you don’t need to do anything when you receive an email from outside your organization. A degree of common sense can be used. If the email is clearly unimportant, you just delete it and move on. On another day though, you might receive something that looks important to someone’s life or career and consider getting involved.

By accidentally sending something confidential to you, the sender might have unwittingly caused a data breach. This could be a seriously risky situation for both the individual and the organization in question. Especially if the email contains any personally identifiable information relating to the business’s employees or clients.

Responding to the sender and letting them know their mistake is a decent thing to do on two fronts. Firstly, it means they’re unlikely to bother you with misdirected emails again. And secondly, you could be saving someone’s job by helping them stop a data breach. Having said that, you’re under no legal obligation to do anything at all – the decision is yours.


Cybersecurity Experts Views On Email Risk Within Microsoft 365 Report Img CROPPED


Cybersecurity experts' views on email risk within Microsoft 365

Download report

How to avoid misdirecting your own emails

Having your job on the line and panicking about whether a random recipient is going to do the right thing is not a position you want to find yourself in. Unfortunately, that’s how serious misdirected email can be in the current landscape of data privacy. The bare minimum you can to do protect yourself is double-checking the recipient email address (especially when autocomplete is involved), the cc field, and the Bcc field. You’ll also want to double-check any attachments.

We say that’s the bare minimum because we’re all only human – and it’s not possible to catch every mistake or typo over the course of your whole career. Organizations can set up static rules (for example, you can send emails to business A but not business B), but these traditional methods are rigid and unreliable. They also rely on constant prompting that can give even the most diligent employees ‘click fatigue’ after a while.

The best solution for avoiding misdirected email altogether is through human layer security. Egress Intelligent Email Security is an example of human layer security, as it’s able to adapt to your individual behaviour through machine learning. It helps you to catch context-driven mistakes such as adding the wrong recipient, attaching the wrong file, or forgetting to use Bcc instead of cc. This is far more preferable to the end user too, as they only get prompted in real time when a genuine mistake has occurred. 

If you’d like to learn more about human layer security and email data loss prevention (DLP), you can explore our content hub for more information. Or if you’d like to start a trial, get in touch and we’ll be more than happy to arrange a free demo with your IT team.

You might also be interested in ...

How risky is sending a sensitive work email to the wrong person?

Understand the true risk of accidentally hitting send to the wrong person. 

The 10 most common email mistakes

Chosen from conversations with global enterprise organisations and governments, as well as incidents reported in the news, here’s a compilation of the top 10 most common email mistakes according to Egress.

How to recall an email in Gmail

If you have always wondered how to recall an email in Gmail, then here’s a quick step-by-step guide for you.