One in four employees lost their job in the last 12 months after making a mistake that compromised their company’s security, according to new data by Tessian, an email security company.

The new report, which explores why people make errors at work, also found that:

  • 26% fell for a phishing email at work in the last 12 months.
  • 40% of employees sent an email to the wrong person, with almost 29% saying their business lost a client or customer because of the error.
  • 36% of employees have made a mistake at work that compromised security, and fewer report their mistakes to IT.

When asked why these mistakes happened, half of the employees said they had sent emails to the wrong person because they were under pressure to send the email quickly, up from 34% reported by Tessian in its 2020 study. Over two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks. More employees attributed their mistakes to fatigue and distraction in the past year versus figures reported in 2020, likely brought on by the shift to hybrid working.

People are falling for more advanced phishing attacks

While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than in 2020.

Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company, up from 41% reported in 2020. In comparison, click-through rates on phishing emails whereby threat actors impersonated well-known brands dropped. 

People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scams versus 24% of 18-to 24-year-olds.

The consequences for accidental data loss are more severe

On average, a U.S. employee sends four emails to the wrong person every month, and organizations are taking tougher action in response to these mistakes that compromise data. Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person, up from 20% in 2020.One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020. 

Over 35% of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built. Businesses also had to report the incidents to regulators. The number of data breaches reported to the Information Commissioner’s Office caused by data sent to the wrong person via email, was 32% higher in the first nine months of 2021 than in 2020.

Employees are fearful of reporting mistakes

With harsher consequences in place, Tessian found that fewer employees reported their mistakes to IT. Almost one in four (21%) said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization.

Josh Yavor, CISO at Tessian, said, “We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization, so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents. This requires earning the trust of employees; and bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work.”

To read the full report, visit