People accidentally send emails to the wrong recipients every day. The impact of these incidents can be relatively minor if there is no sensitive data included in the email body or attachments - it might be inefficient or slightly embarrassing, but it's not a security incident. However, a security incident can occur if personally identifiable information (PII), privileged or protected information, corporate data, or other sensitive data is included in the email.
If you suspect or know you have sent a misdirected email containing sensitive data, then you need to notify someone in your organization immediately. This is usually someone in your Cybersecurity, Risk and Governance, or IT team. Informing them means they can investigate and remediate the incident as quickly as possible, and potentially limit any negative impacts for any data subjects involved and for the organization.
As mentioned above, a misdirected email is a very common cause of security incidents for all organizations. Unfortunately, unless you've used message-level encryption to protect your email, it is probably unlikely you will be able to actually recall the email. However, there are ways to prevent emails from being sent to incorrect recipients, including internally upholding information barriers.
How do you recall an email in Gmail?
There is no 'recall' button in Gmail. Instead, you can implement a 5, 10, or 30-second delay to 'unsend' an email - however, if you have not set this up or have not clicked on the Undo button in time, unfortunately, you will not be able to recall the email.
Here is how to set up a delay on your outbound emails, during which time you can then choose to unsend (or recall) them before they have left your outbox.
- Click on the cog icon at the top right of the page and click on Settings
- Under the first (main) tab scroll down to Undo Send and click Enable
- Click on the drop-down box to choose the time limit you have to hit undo (you can choose from 5, 10, or 30 seconds)
- Hit Save Changes at the bottom of the page
- When you next send an email, the Your message has been sent box will appear with an additional undo option (a link on a yellow background)
- If you click on it within your selected time frame the recipient will not receive the email
Why recalling an email in Gmail doesn’t always work
As mentioned above you can not recall a message in Gmail – instead, the platform allows you to delay sending a message for an extremely short timeframe, during which you can cancel the send.
If you miss clicking 'Undo' during that timeframe, then the email will be sent.
If you navigate away from the screen that appears once you have selected 'Send', then the option to 'Undo' will disappear and you will not be able to recall the email.
As you can see, this requires you to realize your mistake and correct it - however, this is not a robust outbound email security strategy.
What else can you do to stop misdirected emails?
Egress Prevent stops emails being sent to incorrect recipients in Microsoft 365. The solution uses machine learning to understand how each individual person uses email and then alerts them to any mistakes before an email has been sent. If your organization uses Microsoft 365, we also have a guide on 'How to recall an email in Outlook'.
Finally, to answer questions such as 'How does email data loss prevention (DLP) work?', 'What is a misdirected email?', and 'What are information barriers?', please visit our email DLP hub.
