By Maddie Rosenthal at Tessian

So, you’ve accidentally sent an email to the wrong person. Don’t worry, you’re not alone. According to Tessian research, over half (58%) of employees say they’ve sent an email to the wrong person.

We call this a misdirected email and it’s really, really easy to do. It could be a simple spelling mistake, it could be the fault of Autocomplete, or it could be an accidental “Reply All”. But, what are the consequences of firing off an email to the wrong person and what can you do to prevent it from happening?

We’ll get to that shortly. But first, let’s answer one of the internet’s most popular (and pressing) questions: Can I stop or “un-send” an email?

Can I un-send an email?

The short (and probably disappointing) answer is no. Once an email has been sent, it can’t be “un-sent”. But, with some email clients, you can recall unread messages that are sent to people within your organization.

Below, we’ll cover Outlook/Office 365 and Gmail.

Recalling messages in Outlook & Office 365

Before reading any further, please note: these instructions will only work on the desktop client, not the web-based version. They also only apply if both you (the sender) and the recipient use a Microsoft Exchange account in the same organization or if you both use Microsoft 365.

In layman’s terms: You’ll only be able to recall unread emails to people you work with, not customers or clients. But, here’s how to do it.

Step 1: Open your “Sent Items” folder

Step 2: Double-click on the email you want to recall

Step 3: Click the “Message” tab in the upper left-hand corner of the navigation bar (next to “File”) → click “Move” → click “More Move Actions” → Click “Recall This Message” in the dropdown menu

Step 4: A pop-up will appear, asking if you’d like to “Delete unread copies of the message” or “Delete unread copies and replace with a new message”

Step 5: If you opt to draft a new message, a second window will open and you’ll be able to edit your original message

While this is easy enough to do, it’s not foolproof. The recipient may still receive the message. They may also receive a notification that a message has been deleted from their inbox. That means that, even if they aren’t able to view the botched message, they’ll still know it was sent.

More information about recalling emails in Outlook here.

Recalling messages in Gmail

Again, we have to caveat our step-by-step instructions with an important disclaimer: this option to recall messages in Gmail only works if you’ve enabled the “Delay” function prior to fat fingering an email. The “Delay” function gives you a maximum of 30 seconds to “change your mind” and claw back the email.

Here’s how to enable the “Delay” function.

Step 1: Navigate to the “Settings” icon → click “See All Settings”

Step 2: In the “General” tab, find “Undo Send” and choose between 5, 10, 20, and 30 seconds.

Step 3: Now, whenever you send a message, you’ll see “Undo” or “View Message” in the bottom left corner of your screen. You’ll have 5, 10, 20, or 30 seconds to click “Undo” to prevent it from being sent.

Note: If you haven’t set-up the “Delay” function, you will not be able to “Undo” or “Recall” the message.

More information about delaying and recalling emails in Gmail here.

So, what happens if you can’t recall the email? We’ve outlined the top six consequences of sending an email to the wrong person below.

What are the consequences of sending a misdirected email?

According to Verizon’s 2021 DBIR, misdelivery is the most common type of error to cause a breach. But is a breach the biggest consequence?

We asked employees in the US and UK what they considered the biggest consequences of sending a misdirected email. Here’s what they had to say.


Importantly, though, the consequences of sending a misdirected email depend on who the email was sent to and what information was contained within the email.

For example, if you accidentally sent a snarky email about your boss to your boss, you’ll have to suffer red-faced embarrassment (which 36% of employees were worried about).

If, on the other hand, the email contained sensitive customer, client, or company information and was sent to someone outside of the relevant team or outside of the organization entirely, the incident would be considered a data loss incident or data breach. That means your organization could be in violation of data privacy and compliance standards and may be fined. But, incidents or breaches don’t just impact an organization’s bottom line. It could result in lost customer trust, a damaged reputation, and more.

Let’s take a closer look at each of these consequences.

Fines under compliance standards.

Both regional and industry-specific data protection laws outline fines and penalties for the failure to implement effective security controls that prevent data loss incidents. Yep, that includes sending misdirected emails.

Under GDPR, for example, organizations could face fines of up to 4% of annual global turnover, or €20 million, whichever is greater.

And these incidents are happening more often than you might think. Misdirected emails are the number one security incident reported to the Information Commissioner’s Office (ICO). They’re reported 20% more often than phishing attacks.

Lost customer trust and increased churn.

Today, data privacy is taken seriously… and not just by regulatory bodies.

Don’t believe us? Research shows that organizations see a 2-7% customer churn after a data breach and 20% of employees say that their company lost a customer after they sent a misdirected email.

A data breach can (and does) undermine the confidence that clients, shareholders, and partners have in an organization. Whether it’s via a formal report, word-of-mouth, negative press coverage, or social media, news of lost – or even misplaced – data can drive customers to jump ship.

Revenue loss.

Naturally, customer churn + hefty fines = revenue loss. But, organizations will also have to pay out for investigation and remediation and for future security costs.

How much? According to IBM’s latest Cost of a Data Breach report, the average cost of a data breach today is $3.86 million.

Damaged reputation.

As an offshoot of lost customer trust and increased customer churn, organizations will – in the long-term – also suffer from a damaged reputation. Like we’ve said: people take data privacy seriously.

That’s why, today, strong cybersecurity actually enables businesses and has become a unique selling point in and of itself. It’s a competitive differentiator. Of course, that means that a cybersecurity strategy that’s proven ineffective will detract from your business.

But, individuals may also suffer from a damaged reputation or, at the very least, will be embarrassed. For example, the person who sent the misdirected email may be labeled careless and security leaders might be criticized for their lack of controls. This could lead to….

Job loss.

Unfortunately, data breaches – even those caused by a simple mistake – often lead to job losses. It could be the Chief Information Security Officer, a line manager, or even the person who sent the misdirected email.

It goes to show that security really is about people.

Previous Post Next Post