How Jiminy helps stop data exfiltration

If you or your company sends personal, sensitive, confidential, or secret data via email, then sooner or later you or somebody in your company is going to send that information to the wrong person. It's as simple as typing the name of the person you intend to send the email to and then Outlook shifting the order of the suggested recipients right before you click. It can also be as complex as a sophisticated scammer attempting to socially engineer one of your employees to send them information you'd rather they not have sent, using a name and/or domain that's very close at first glance to a trusted one. Once this happens, regardless of if the information was sent to a bad actor or simply another friendly, but unrelated, person or company, it may invoke legal or regulatory reporting requirements of such a security incident. Those reporting requirements will vary industry-to-industry, state-to-state, and country-to-country. While the specifics of those reporting requirements are beyond the scope of this post, I'd like to help you prevent them in the first place.

One of the first line of defenses that companies consider is to disable the Outlook auto-complete functionality. This is the leading cause of data exfiltration as it's very easy to click a similar, but wrong, name in the list. This is usually discovered either when the recipient helpfully replies that they might not have been the one the email was supposed to go to or when the originally intended recipient places an inquiry as to why they didn't receive the data. This is assuming that you even become aware that something that may have created a legal liability or loss of trust has happened. A lot of money and jobs have been lost over this easy-to-make mistake. But turning off the auto-complete functionality often elicits a negative (sometimes viscerally so) reaction in employees who have essentially just lost a feature that makes their day-to-day lives much easier. Nearly every company I've seen attempt this strategy has ultimately ended up re-enabling the functionality after the massive outcry from frustrated users. This also opens a window for typos in addresses now that everything has to be done manually and does nothing to protect from social engineering attacks.

Can I unsend an email sent through Microsoft Outlook?

Microsoft Outlook supports unsending a message though functionality is very limited. Though the message recall functionality can be employed in limited situations, it's not a very effective way to unsend an email. It relies on the message not being seen or previewed, and largely only works in ideal situations where the recipient Outlook is controlled by the same Exchange server. Email clients are under no obligation to honor this request and most non-Outlook clients do not. Additionally, a recall message is sent to the recipient which tends to shine light on the mistake. With that said, message recall is, at best, a way to correct errors on emails sent internally where it's not critical that the message never be seen.

The cost of one of these mistakes can be tremendous. I've sat in numerous high-stakes crisis meetings that largely originated from what came down to a clerical error. I've also been in those same meetings that came from highly skilled attackers specifically targeting your users by registering a domain that's very close in appearance to a trusted domain and tricking people into sending them information. The domains "" and "", for example, look exceedingly similar. Once the attackers have that information, they're able to use it in the next stage of their scam. Needing to pay a forensics company to discover the sources of these breaches can further dramatically drive up costs. Awareness trainings are often a proposed threat mitigation strategy. While these are incredibly important as security is a team sport, the expectation then often becomes for humans to be consistenly and unfaulteringly vigilant every single time. Expecting every employee, especially the new ones, to perfectly execute every email and not occasionally send a sensitive financial document to Bob the intern rather than Bob the CFO is a gamble at best. No matter how good your training is. Complacency begins to creep in when there has not been an incident for a while. Once it's happened, it's nearly impossible to undo. Recalling emails are questionably effective and requires all systems (even ones out of your control) to be setup correctly and for the incident to be discovered before the recipient has read the email. Outside the reporting requirements, it can be difficult to repair the broken trust such an incident can cause with multiple parties.

What can I do if I've sent an email to the wrong person?

Expecting humans to be performing flawlessly at all times is a ticking time bomb. As an additional safety measure, you can simply install the Jiminy Microsoft Outlook add-in. By looking at your previous habits, Jiminy is able to ascertain to a degree of accuracy if you are about to make this mistake and can warn you about it. Just as you would check spelling or grammatical warnings, Jiminy can warn you about potential recipient mistakes using state-of-the-art machine learning technologies.