Lots of professionals use out-of-office auto-reply email messages to inform clients and co-workers about their absence, as well as provide contact info while they’re away. It seems like the responsible thing to do, right? Not necessarily. Out-of-office auto-replies can be a major security risk. Out-of-office replies can potentially reveal a huge amount of sensitive data about you to anyone who happens to email you while you’re away.
Example of a Common Out-Of-Office Reply
I will be out of the office at the XYZ conference in Burlington, Vermont, during the week of June 1-7. If you need any help with invoice-related issues during this time, please contact my supervisor, Joe Somebody at 555-1212. If you need to reach me during my absence you can reach me on my cell at 555-1011.
Bill Smith – VP of Operations – Widget CorpSmithb@widgetcorp.dom555-7252
While the above message may be helpful to some, it reveals a wealth of potentially sensitive information to others. This information could be used by criminals or hackers for social engineering attacks.
The example out-of-office reply above provides an attacker with:
Current Location Information
Revealing your location aids attackers in knowing where you are. If you say you’re in Vermont, then they know that you aren’t at your home in Virginia. This would be a great time to rob you. If you said you were at the XYZ conference (as Bill did), then they know where to look for you. They also know that you’re not in your office and that they might be able to talk their way into your office saying something like:
“Bill told me to pick up the XYZ report. He said it was on his desk. Do you mind if I pop in his office and grab it?” A busy secretary might just let a stranger into Bill’s office if the story seems plausible.
The contact information that Bill revealed may help scammers piece together elements needed for identity theft. They now have his e-mail address, his work and cell numbers, and his supervisor’s contact info as well.
When someone sends Bill a message while his auto-reply is turned on, his e-mail server will send the auto-reply back to them, which in-effect confirms Bill’s e-mail address as a valid working address. Email Spammers love getting confirmation that their spam reached a live target. Bill’s address will likely now be added to other spam lists as a confirmed hit.
PLACE OF EMPLOYMENT, JOB TITLE, LINE OF WORK, AND CHAIN OF COMMAND
Your signature block often provides your job title, the name of the company you work for (which also reveals what type of work you do), your e-mail, and your phone and fax numbers. If you added “while I’m out, please contact my supervisor, Joe Somebody” then you just revealed your reporting structure and your chain of command as well.
Social engineers could use this information for impersonation attack scenarios. For instance, they could call your company’s HR department pretending to be your boss and say:
This is Joe Somebody. Bill Smith is off on a trip and I need his Employee ID and Social Security Number so I can correct his company tax forms.
Some out-of-office message setups allow you to restrict the reply so that it only goes to members of your host e-mail domain, but most people have clients and customers outside of the hosting domain so this feature won’t help them.
Create a Safer Out-of-Office Auto-Reply Message
Instead of saying that you will be somewhere else, say that you will be “unavailable.” Unavailable could mean you are still in town or in the office taking a training class. It helps keep the bad guys from knowing where you really are.
Don’t Provide Contact Info
Don’t give out phone numbers or emails. Tell them that you will be monitoring your email account should they need to contact you.
Avoid Personal Information and Remove Your Signature Block
Remember that complete strangers and possibly scammers and spammers may see your auto-reply. If you wouldn’t normally give this signature info to strangers, don’t put it in your auto-reply.