10 email mistakes that lead to security incidents

Alex Hogg | 12th Apr 2023

With 269 billion emails sent every day, there are mistakes made that can lead to security incidents. Ultimately, where there are people there is risk.

Independent research conducted for the Egress Data Loss Prevention Report found that 85% of employees are using email more than ever, and 80% say they use it to regularly share confidential information. As every employee in an organization has access to email, anybody can cause a security incident, with or without knowledge of the incident.

Ultimately human error is difficult to avoid in the fast-paced, flexible environment we work in today, and relying on employees to detect their own mistakes is an ineffective strategy. Phishing attacks prey on the vulnerability of the recipients with the aim of gaining access to data, systems, and networks. Additionally, people also make mistakes when sending emails, such as adding incorrect recipients and attachments.

In fact, 91% of organizations had security incidents from outbound email and 92% fell victim to phishing, according to research conducted for the Egress Email Security Risk Report. To ensure employees do not make mistakes or fall victim to phishing attacks that lead to security incidents, organizations must deploy an integrated cloud email security (ICES) solution, such as Egress Intelligent Email Security.

The most common email mistakes

Determined by independent research and conversations with global enterprise organizations and governments, as well as incidents reported in the news, here’s a compilation of the top 10 most common email mistakes in the workplace.

1. Clicking on unsafe phishing links

One of the highest-profile, unchanging, and most successful means of phishing is when a victim clicks on a malicious link within an email, then taken to a phishing website, and tricked into entering their login credentials (e.g. for Active Directory, Microsoft365, etc.). These credentials are then used to log into genuine systems to compromise information, usually for financial or commercial gain, or to hijack accounts for onward attacks (for example, using a supplier email account as part of a business email compromise (BEC) attack).

One of the more common ways this email mistake can happen is through fraudulent password reset emails that look like they come from specific systems or an organization’s administrators.

2. Replying to a phishing email

Phishing attacks are becoming more sophisticated. In some instances, cybercriminals will commence an attack with scouting emails, by sending a ‘payloadless’ phishing email to see whether the target is susceptible to their attack. By making use of payloadless phishing emails these cybercriminals bypass security that relies on detecting malicious payloads within an email.

Payloadless phishing emails often include messages designed to trick recipients into entering a conversation with the attacker without a malicious link or attachment. They’re likely spoofing the email address of a trusted contact or they’ve managed to take over a legitimate account. Ultimately, cybercriminals want the recipient to reply with confidential information, such as their email password, or financial payments (e.g. gift card codes).

3. Being socially engineered into invoice and payment fraud

Social engineering involves cybercriminals manipulating their victims’ emotions and deceiving them into paying a fraudulent invoice or giving up passwords, and other confidential data. Attackers will sometimes impersonate suppliers to trick employees into paying fraudulent ‘overdue’ invoices, which is also referred to as BEC.

4. Misdirected emails

Email clients such as Outlook autocomplete email addresses to increase work efficiency. This can lead to significant email mistakes, as this functionality makes it easier to add the wrong recipient to an email. Most commonly, unintended recipients have the same first name, surname, or initials as the intended recipient. This mistake frequently goes unnoticed by the recipient. There are ways to recall an email in Outlook if there is an incident of a misdirected email.

5. Attaching the wrong document

Attachments can cause serious compliance headaches when it comes to email mistakes. Sending the wrong document to a recipient can cause significant exposure of confidential data. Whether it’s personally identifiable information (PII) or commercially sensitive information, this is typically difficult to reverse or undo.

6. Hidden data within files

In this instance, an employee could forget about sensitive information in additional tabs, hidden columns or rows, or in the metadata. This can result in a breach of confidentiality and, depending on the sensitivity of the data, can have significant impact on a business. Using intelligent DLP solutions like Egress Prevent will notify the sender if there are any keywords hidden within the document before it is sent to the recipient.

7. Using To/Cc instead of Bcc

This is a common email mistake that frequently hits the headlines. Instead of putting the recipients’ email addresses in the Bcc field, and essentially hiding them from the other recipients, the addresses are accidentally exposed to the rest of the list in the To/Cc. In addition to disclosing the email addresses, many of the high-profile incidents reported in the press have also seen highly confidential data leaked by organizations with the content in the email. For example, in the past a prominent medical organization did not BCC recipients when sending advice for a specific condition, disclosing the recipients to each other along with their medical status.

8. Adding someone to a chain, forwarding an email, or replying all

When involved in an email chain, some employees may feel another member of their team should be included at a certain point. Employees will then add them in without considering what has previously been sent or received in that thread, which can lead to a data breach.

Similarly, employees may receive an email they feel another member of their team needs to review and will forward it to them. However, when employees are fatigued or under pressure with other tasks they may rush this process and enter the wrong recipient's email address. In some cases, this misdirected email may result in a data breach when received by the unintended recipient.

Finally, employees may default to using ‘Reply all’ when responding to an email. The mistake here is that if the reply contains sensitive content, this can also cause unwanted exposure.

There is a very small chance that an employee can recall an email, however, this is usually not possible. Ultimately, avoiding these mistakes is the best way to ensure security incidents do not occur.

9. Sending work to a personal address

Employees can send work to their personal email for both malicious purposes or for ‘innocent’ reasons, such as to continue working after they leave the office or to print a document at home. In malicious situations, the employee could be in the process of acquiring a new role or leaking confidential information to competitors.

The main concern in sending work to a personal address is that there may not be the same level of security as there is with a business account. This can lead to unintentional confidential data breaches.

10. Forgetting to appropriately secure emails

There are many reasons to encrypt emails, but the three most important ones include ensuring content is only accessed by the authorized recipient(s), preventing interception in transit; stopping the recipient from being able to forward the email and attachments to another unauthorized contact or taking other actions (such as printing documents), and to provide audit information for sent emails for compliance purposes. However, if an organization’s default policy is to rely on people to encrypt emails directly within Outlook, they can expose themselves to security incidents if someone forgets to apply encryption or does not realize the information needs to be sent encrypted.

Tips going forward

Given employees’ reliance on sharing information by email, reducing the chances that these mistakes will happen is crucial to protect confidential data and brand reputation. We cannot rely solely on employees to recognize attacks or mistakes without support from integrated cloud email security (ICES) solutions such as Egress Intelligent Email Security. The likelihood of these mistakes happening reduces significantly if the right technology is in place, however, some good-practice guidelines could be implemented to improve overall security, as outlined below:

  • Add addresses in last
    Advise employees to enter recipient email addresses after they have composed their email and added any attachments. This may give them the opportunity to make sure they have entered the correct recipient's email
  • Review emails before clicking send
    Remind employees to always review their email content and recipients before clicking send, completing this task could prevent a number of email mistakes
  • Never rush
    In a fast-paced work environment, it becomes second nature to rush to get responses out. Employees need to slow down to ensure they don’t rush into making a mistake that could lead to a security incident
  • Use the right technology
    While all of these are great guidelines, human nature means email mistakes will still happen. This is why Egress offers an intelligent email security platform, which can address all these threats and more

Related articles

Customer Stories

Which type of email DLP is best for me?

Choose the right level of email protection for your business. 
TAG Cyber 555X300

TAG Cyber: Reduce human activated risk

TAG Cyber’s latest report explores this imperfect relationship and how it relates to a technology your business uses every day: email.
Laptop Security Padlock

How a zero-trust model can help prevent email data breaches

A zero-trust approach to email DLP makes sense - but how can we make it seamless and user-friendly? 
Confidential lock 600x400 490kb

How to securely send and open confidential email

Learn how to share your data via email with confidence.