Clients and co-workers are notified of their absence through out-of-office auto-reply email messages, which also provide contact information for those who need to reach them while they are away.
Despite the fact that it appears to be the responsible thing to do, this is not always true. Auto-responses from out-of-office accounts can be a huge security risk for a company. In some cases, out-of-office responses have the potential to reveal a plethora of sensitive information about you to anyone who contacts you by email while you’re gone.
- An Example of an Out-of-Office Response
- Data on the current location
- Contact Information
- Location of employment, job title, line of business, and chain of command are all important factors to consider.
- Create a more secure out-of-office auto-reply message for your company.
- Do not include any contact information
An Example of an Out-of-Office Response
Bill Smith is the Vice President of Operations of Widget Corporation. He can be reached at [email protected]. He wrote this message:
My absence from the office will be due to the XYZ conference in Burlington, Vermont, which will take place from June 1-7. In the event that you require assistance with an invoice during this period, please contact my employer, Joe Somebody, at (555) 1212 for assistance. If you need to reach me while I’m away, you can do so by calling my cell phone at 555-1011 during business hours.
While this message may be beneficial to some, it discloses a great deal of potentially sensitive information to those who are not aware of what has happened. Criminals or hackers may use this information in social engineering schemes to their advantage.
An attacker who receives the accompanying example of an out-of-office reply will be able to do the following:
Data on the current location
Because you are broadcasting your location, you make it easier for attackers to track you down. This would be a perfect opportunity for a robber to take advantage of you. In Bill’s case, he mentioned that he would be attending the XYZ conference, so they would know where to look for him. Furthermore, they are aware that you are not in your office and that they may be able to talk their way into it by saying something along the lines of: “I was directed by ill to pick up the XYZ report.” He stated that it was on his desk, which was correct. If I pop into his office and grab it, are you cool with that?” An overworked secretary may easily allow a stranger inside Bill’s office if the explanation provided is convincing.
Scammers may use Bill’s contact information to put together the pieces of the puzzle that will allow them to commit identity theft. It is now known what his e-mail address, work and cell phone numbers are, as well as the name and contact information for his boss.
Someone writes an email to Bill while his auto-reply feature is on, his e-mail server will automatically respond with an auto-reply, which confirms the legitimacy of Bill’s e-mail address to the sender. Email Spammers take great pleasure in receiving confirmation that their spam was sent to an actual person. Because of this, Bill’s address will very probably be added to other spam lists as a result of a verified hit.
Location of employment, job title, line of business, and chain of command are all important factors to consider
It is common for your signature block to include information about your job title, your employer (which also shows the nature of your employment), your e-mail address, and both your phone and fax numbers. If you use the phrase “during my absence, please contact my supervisor, Joe Somebody,” you have also revealed your reporting structure and chain of command to the recipient.
It is possible that social engineers will use this knowledge in the context of impersonation assaults. Using your company’s human resources department as a ruse, for example, they could contact your company’s human resources department and state: This is Joe Somebody. The company’s tax filings must be updated while Bill Smith is away, and I want his Employee Identification Number as well as his Social Security Number in order to complete the update.
However, even though many out-of-office message options allow you to restrict the reply to members of your host e-mail domain, the vast majority of people have clients and customers outside of the hosting domain, making this option essentially pointless for them.
Create a more secure out-of-office auto-reply message for your company
As an alternative to expressing that you will be absent, consider adding that you will be “unavailable.” It is possible that you are still in town or involved in a training program at the office if you are marked as unavailable. It aids in the concealment of your genuine position from the evil guys’ eyes.
Conclusion: Do not include any contact information
Never share your phone number or email address with anyone. Inform them that you would be keeping an eye on your email account in case they need to communicate with you in the future.
Keep your personal information to a bare minimum and do away with the signature block.
Always remember that your auto-reply may be seen by people who are completely unrelated to you, as well as by scammers and spammers. If you would never give this information to a stranger, don’t include it in your auto-reply as it may be considered offensive.