According to a recent study by human behavior security firm Abnormal AI, one of the most damaging and overlooked enterprise cybersecurity threats stems from a simple mistake we all have nightmares about: sending an email to the wrong person.
Of 300 security and IT professionals surveyed, 98% considered misdirected emails a significant cyberrisk compared to other risks like malware and insider threats. Misdirected emails are legitimate messages sent to the wrong recipient. While many might dismiss these as a harmless error in the modern workplace, misdirected emails can result in data breaches, regulatory violations, remediation costs and reputation damage. In fact, 96% of organizations experienced data loss or exposure from misdirected email in the past year, and 95% reported measurable business impact such as remediation costs, compliance violations or damage to customer trust. The violations can be costly: Abnormal AI reported misdirected emails accounted for 27% of all data protection incidents under GDPR last year, contributing to over $1.2 billion in fines worldwide.
“This is a visibility problem as much as it is a technology one,” said Mike Britton, CIO at Abnormal AI. “Traditional tools cannot differentiate a legitimate customer email from a sensitive message going to the wrong recipient. Protecting data today requires more than defending against external threats—it means understanding and supporting human behavior.”