Five familiar email fails: Why they could be more than an embarrassing mishap
Email is a fundamental component of business communications. The benefit of near instant messaging, no matter the location, means that business deals and management can be conducted quickly and seamlessly. But our reliance on email as a communication tool has inspired an element of complacency amongst users. The repetitive and familiar nature of email usage means that users can often forget that without the right protocols in place, email can be a window to serious cyber security breaches. It’s not just external cyber threats that businesses need to be mindful of.
Andrea Babbs, UK General Manager, VIPRE SafeSend, explores the most common email mistakes that we’re all guilty of making, and why they could be more than an embarrassing mishap.
The wrong email recipient
With increasing numbers of employees now working remotely, the traditional single office-based computer setup is now becoming less popular within businesses – especially when fuelled by the need for home working during the Covid-19 pandemic. Combined with increasing pressures on staff to work harder, better and faster, it’s easy to see why many don’t pay too much attention to verifying the accuracy of the email address they are sending information to – we’ve all done it! But while it might just seem like an unfortunate mistake, it could have far reaching consequences.
It only takes one incorrect character or autocorrect taking over for sensitive information to land in the wrong inbox. And what if that recipient is a competitor or cyber criminal?
In 2018, Commonwealth Bank staff inadvertently sent 651 emails to an overseas company as they forgot to include ‘.au’ at the end of the domain that should have read ‘cba.com.au’. This leak happened without anyone noticing for a prolonged period of time, potentially putting sensitive and private customer information at risk.
Sending email attachments to the wrong contact
Similar to the above, sending the wrong attachment to the wrong person is also a common user error that could put company data in jeopardy. If confidential corporate information, such as unpatented new product information, falls into the wrong hands or inadvertently into the public domain, this could deliver a huge advantage to the competition or even damage company reputation.
Moreover, with data protection requirements such as GDPR and industry specific regulations in place, organisations now face the threat of severe penalties should they breach conditions designed to keep personal data secure.
For example, Surrey County Council was served with a penalty of £120,000 after three data breaches that involved misdirected emails. This included a staff member sending an email with the personal data of 241 individuals to the wrong email address. The information was not encrypted so was instantly accessible to the recipient and a direct breach of data protection regulations.
The ‘reply all’ fail
We’ve all heard stories about the employee getting frustrated with their customer, boss or colleague, replying to an email chain but forgetting their boss or customer is copied in! While that’s a very bad mistake to make, from a company reputation perspective it’s even more damaging when the customer – still copied in – is the focus of the frustration.
Reply all email ‘storms’ can also cause havoc within businesses. This is when a sudden surge of ‘reply all’ messages come through, usually as a response to a controversial or misaddressed email. This happened within the NHS where an IT contractor sent an email without realising they had copied in 840,000 other colleagues. With users quickly using the reply all function to complain, the system couldn’t cope, causing serious issues for NHS staff – many taking to social media to vent their frustration.
To bcc or not to bcc?
As discussed, adding in email recipients is a task that may seem simple, but if not done correctly, can have devastating repercussions for businesses. The misuse of CC and BCC functions could expose your entire contact database, exposing customer emails to potential hackers or competitors.
In 2018, the Independent Inquiry into Child Sexual Abuse was fined £200,000 by the Information Commissioner’s Office after a staff member emailed 90 people using the “to” field instead of the “bcc” field – allowing recipients to see each other’s addresses. This mass email identified possible abuse victims through this human error, breaching the Data Protection Act and tarnishing their reputation.
Another and more visible problem with the BCC functionality is when someone who was BCC’d clicks ‘reply all,’ alerting all those who were CC’d on the email that they were not the only recipients. This is a bigger problem than most people think as it raises unnecessary questions and can hinder brand trust and integrity when customers and suppliers are involved.
Data breach – accident or intent?
More than 269 billion emails are sent each day, so it’s no surprise that misaddressed emails are the largest source of data loss for organisations. Hackers can take advantage of complacency within email culture with a number of techniques. For example, disguising emails to appear as though they are an internal email, whereas they actually come from a spoofed domain that looks almost identical to the real thing. With employees sending so many emails a day and trying to work as quickly as they can, they could fail to spot this and potentially fall victim to a malware or ransomware attack, exposing the organisation’s network and sensitive files.
On the other end of the scale are data breaches conducted with malicious intent. For example, the Morrisons insider threat breach was carried out by a disgruntled former employee who stole and published payroll data of nearly 100,000 staff members online. His aim was to disparage the reputation of his former employer after a disciplinary matter. The breach reportedly cost the company £2 million to rectify.
With emails accounting for such a big part of the way we communicate professionally, particularly when working remotely, it’s important to be aware of and educated about the common email mistakes that often occur. To support employees and reduce the risk of a data breach, businesses can implement intuitive technology that can spot errors, highlighting to the user where potential mistakes might be made and where threats might be hiding.
By using technology that provides a simple safety check and prompts the user to stop and check the message twice before sending, organisations can be in a better position to keep employee productivity high, whilst also reducing the chance of errors. By double checking the receipts of your email or any included attachments before sending the message, these solutions can help organisations avoid the potentially costly error of revealing the wrong information to the wrong person.
See more news here.