Avoid out-of-office spoofing this holiday season
Out-of-office messages are a common way of letting your clients, co-workers, and other contacts know you’re away from the office and when you’ll be back. They also provide alternative contact information for urgent matters or requests. However, these autoreplies can pose serious security risks if not crafted carefully.
Imagine, for a moment, that you’re going on holiday. Would you disclose your location, duration of absence, reporting structure, and contact information to all your neighbours, clients, and acquaintances?
What makes out-of-office messages risky?
Often, these messages contain sensitive information about you, the organisation, and the alternative contacts you mention. Cybercriminals can use this information to target you or the company.
According to a 2022 IBM report, stolen or compromised credentials were the primary attack vector in 19% of data breaches, and phishing attacks had the longest lifecycle, taking 327 days to identify and contain.
Some information out-of-office messages can expose include:
1. Current location and timeline
Cybercriminals will be aware of your location status. For example, if you disclose that you’re attending a conference in another city, they know you aren’t at the office. This information can be advantageous to cybercriminals, potentially assisting them in executing a cyber-attack.
2. Contact information and reporting structure
Disclosing your contact information or that of your supervisor or colleague can help cybercriminals launch phishing, vishing, or spear phishing attacks, in which they pretend to be you or someone you trust and ask for sensitive information or money. It can also confirm that your email address is valid and active, increasing the spam you receive.
3. Employment details and chain of command
Revealing the kind of work you do, your company, your role and responsibilities, and who you report to or work with gives cybercriminals insight into the organisation. They’ll also learn how to craft more convincing and targeted messages or calls to trick your or your co-workers into divulging confidential information or granting access to your systems and accounts.
How to avoid the risks of out-of-office messages
1. Limit the scope and audience
Only send out-of-office messages to clients, co-workers, and business partners who need to know you’re away. Use email settings to restrict who can receive your OOO messages, such as your contact list or organisation. Additionally, avoid sending them to external or public email addresses on newsletters, mailing lists, or online services.
2. Be vague and brief
Never give too much detail about why you’re away, where you are, or how long you’ll be gone. Avoid mentioning specific dates, times, and locations or imply that you’re on vacation. Instead, use general terms like, “I’m currently out of the office” or “I will be unavailable”.
3. Securely manage your emails while away
Instead of providing personal or direct contact information, consider redirecting emails to a monitored generic or shared email address. This approach allows someone to discreetly manage your emails in your absence, ensuring a seamless flow of communication while minimizing potential risks.
4. Avoid personal or sensitive information
We often include information without realising it’s too personal or sensitive, such as health issues or family situations. This can compromise your privacy and security and make you vulnerable to fraud and cyber-attacks.
Example of a safer out-of-office message
Hi there,
Thank you for your email. Kindly note that I am currently unavailable and will be monitoring my mailbox periodically. For any urgent requests please email [generic email address] and a relevant person will be in touch to assist you. Alternatively, I will respond on my return.
Kind Regards
[Your name]
Mitigate security risks this festive season
Although out-of-office messages are useful for communicating your availability and expectations, they can pose a serious security risk if not approached mindfully. Protect yourself and the business from potential attacks during the holiday season.