Abnormal AI’s latest report titled 2025 State of Misdirected Email Prevention: Keeping Sensitive Data Out of the Wrong Inboxes, flips a familiar narrative: some of the biggest email‑security problems aren’t hackers at all, but employees who click the wrong name in an address field. The “2025 State of Misdirected Email Prevention” study surveyed just over 300 security and IT leaders and found nearly everyone has a story about internal mistakes. Ninety‑eight percent of those leaders said sending email to the wrong person is a major risk—higher than malware or insider threats. In practice, 96 percent of respondents had experienced data loss or exposure from misdirected messages in the past year, and 95 percent said those incidents cost them time, money or credibility.
What worries the respondents isn’t just the frequency of these slips, but the fact that they often go unnoticed. Almost half of misdirected emails are discovered only when the unintended recipient speaks up. Traditional data‑loss prevention tools aren’t built for such benign mistakes; they churn out thousands of false alerts—about 400 hours’ worth of triage each year, on average. Misdirected emails also have regulatory consequences: they accounted for roughly 27 percent of all data‑protection incidents under the GDPR last year, contributing to more than $1.2 billion in fines.
The report argues that tools focused on blocking inbound threats won’t fix this human‑error problem. Instead, behavioral AI—systems that learn each user’s usual correspondence patterns and flag oddities—could spot a sensitive file addressed to the wrong colleague. Ninety‑seven percent of surveyed professionals think this approach would help prevent accidental data loss. “Enterprises have invested heavily in stopping phishing, but outbound email remains a major vector for human error,” said Abnormal CIO Mike Britton. He adds that reducing misdirected emails means understanding and supporting how people actually work, not just catching malicious outsiders.
