By Drew Fox Jordan • January 18, 2022

    Email Mistakes That Can Compromise Your Organization's Security

    Email Mistakes That Can Compromise Your Organization's Security

    Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won't have any long-term consequences.

    But what about mistakes that compromise cybersecurity? Unfortunately, this happens more often than you might think. Here are some common security mistakes employees make.

    Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox

    "I sent an email to the wrong person"

    We call this a misdirected email. If you've sent one, you're not alone. It's the number one security incident reported to the Information Commissioner's Office (ICO) under the GDPR.

    Why does it happen so often? Well, because it's incredibly easy to do. It could be a simple typo (for example, sending an email to jon.doe@gmail.com instead of jan.doe@gmail.com) or an incorrect suggestion from autocomplete. 

    What are the consequences of sending a misdirected email?

    Here's a high-level overview: 

    1. Embarrassment 
    2. Fines under compliance standards
    3. Lost donor trust and increased churn
    4. Job loss
    5. Revenue loss
    6. Damaged reputation

    Note: The consequences depend entirely on what information was contained in, or attached to, the email."

    Real-world example of a misdirected email

    In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address. 

    While the program administrator maintains that this doesn't qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understood data privacy requirements under HIPAA – insists that this employee must notify the 47 individuals. 

    "I attached the wrong file to an email"

    Employees can do more than send an email to the wrong person. Unfortunately, they can also send the wrong file(s) to the right person. We call this a misattached file, and, like "fat-fingering" an email, it's easy to do.

    Two files could have similar names, you may not attach the latest version of a document, or you might click on the wrong file entirely. 

    What are the consequences of sending a misattached file?

    As you may have guessed, the consequences are the same as those of sending a misdirected email.

    Of course, the consequences depend entirely on what information the attachment contains. For example, if it's a presentation containing private financial information for the organization or a spreadsheet containing the PII of donors, you have a problem. 

    Real-world example of sending the wrong attachment

    A customer relations advisor at Caesars Entertainment was sending emails to the casino's VIPs. The employee was supposed to attach a customized invitation to an event in the emails.

    But, in one emailthe employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.  

    Luckily, they also misspelled the email address, so the employee technically never sent it. 

    "I accidentally hit "reply all" or cc'ed someone instead of bcc'ing them"

    Like sending a misdirected email, accidentally hitting "reply all" or cc instead of bcc are both easy mistakes to make. 

    What are the consequences of hitting "reply all" or cc instead of bcc?

    As you may have guessed, the consequences are the same as those of sending a misdirected email. And, importantly, it depends entirely on what information was contained in, or attached to, the email.

    For example, suppose you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone. In that case, you'll be embarrassed and may worry about your professional credibility. 

    But, if you replace that snarky response with a spreadsheet containing medical information about employees, you'll have to report the data loss incident, which could have long-term consequences.

    Real-world example of hitting "reply all"

    In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division's annual potluck. Harmless, right? Wrong.

    Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in the Utah government. While there were no long-term consequences (i.e., it wasn't considered a data loss incident or breach), it does go to show how easily data can travel and land in the wrong hands. 

    Real-world example of cc'ing someone instead of bcc'ing them

    In 2020, 450 customer email addresses were inadvertently exposed after an employee copied them into an email rather than blind copied them. The employee sent the email to speaker-maker Sonos and, while it was an accident, the mistake is considered a potential breach. 

    "I fell for a phishing scam"

    In 2019, 22% of breaches involved phishing…and 96% of phishing attacks started on email. 

    Like sending an email to the wrong person, it's easy to do, especially when we're distracted, stressed, or tired. But, it doesn't just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us. 

    What are the consequences of falling for a phishing scam?

    Given the top five "types" of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Donor churn. A wiped hard drive.

    But, the top five "types" of data compromised in a phishing attack are:

    1. Credentials (passwords, usernames, PINs)
    2. Personal data (name, address, email address)
    3. Internal data (organization financials) 
    4. Medical (treatment information, insurance claims)
    5. Bank (account numbers, credit card information)

    Real-world example of a successful phishing attack

    In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on.

    While no passwords or financial information were compromised and all the affected individuals have been notified, the breach shows that anyone – even cybersecurity experts – can fall for phishing scams.

    But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses.

    "I sent an unauthorized email"

    As a part of a larger cybersecurity strategy, most organizations will have policies that outline if and how employees can move data outside the network.

    Generally speaking, sending data to personal email accounts or third parties is a big no-no. So, why do people send them? It could be well-intentioned, like sending a spreadsheet to your personal email address to work over the weekend. However, it could be malicious, like sending trade secrets to a third party for a job opportunity. 

    What are the consequences of sending an unauthorized email?

    Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the effects include:

    • Lost data
    • Lost intellectual property
    • Revenue loss
    • Losing donors and/or their trust
    • Regulatory fines
    • Damaged reputation

    No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning. 

    Real-world example of an unauthorized email

    In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn't. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes.

    How can I avoid making mistakes on email?

    The easiest answer is:

    1. Be vigilant.
    2. Double-check who you're sending emails to and what you're sending.
    3. Make sure you understand your company's policies when it comes to data.
    4. Be cautious when responding to requests for information or money. 

    But vigilance alone isn't enough. To err is human, and, as we said at the beginning of this article, everyone makes mistakes. 

    Posts by Topic

    see all