Like most professionals, you use out-of-office (OOO) auto-reply emails to inform your colleagues and clients about your absence from the office. You also provide alternative contact information for urgent needs while you are away. Sometimes, that auto-reply email may capture details about your destination while away from the office.
While this may seem like the responsible thing to do, it may put your business at risk without you knowing it. The spirit of out-of-office auto-responder has always been about providing helpful contact information when you are away from work, but not anymore.
Out-of-office auto-replies pose a significant security risk for your business. The information these auto-reply emails carry provides attackers with surreptitious ways of accessing corporate networks. Consider this scenario: You are leaving the office for your annual vacation, and you, therefore, write an out-of-office email that contains:
The dates when you will leave the office and when you will report back
The contact information of your colleague who will stand in for you during that time, including their name, position, email, and phone numbers
Details about your destination
The alternative contact information people can use to reach you while you’re away.
Such an email seems harmless on the surface, but not where the security of your company is concerned. If this information falls into the wrong hands, it can open doors for financial fraud and phishing attacks.
The Security Risk of Out-of-Office Emails
Depending on the information you provide in the email, you unwittingly give hackers everything they need to carry out a Business Email Compromise (BEC) scam. In such attacks, the scammer impersonates a senior employee and attempts to coerce the recipient into fulfilling a fraudulent request, such as wiring company money.
All they need is to slightly modify your email address to impersonate you based on the information you provided in the email. They will exploit your absence to access confidential data or transfer funds since they already know where you are and for how long. How do hackers use this information to their advantage?
Legitimizing an email address: your out-of-office email gives hackers the assurance that your email address exists and is functional. This legitimacy is crucial for hackers as they can use the email address in question to recreate email addresses for other employees in your company. For example, if your email address is email@example.com, a hacker will assume that the email for an employee named Jeff working for the same company is firstname.lastname@example.org.
Gaining a definite attack window: since the attacker knows how long you’ll be away from the office, they have a verified period to exploit your absence from the office. They can also use this information to plan for physical security attacks.
Accessing sensitive company data: attackers can launch a social engineering attack by leveraging the information in an out-of-office email. For example, they could pretend to be you and use the trip details to request sensitive information about the company.
Enhancing their knowledge base: your out-of-office email could add to a knowledge base that hackers already have about your company. It could open ways for them to gather more information, followed by an attack.
Cyberattacks based on OOO messages are more common than most people think. Statistics show that they make a large part of the cybercrime industry, with companies losing approximately $12 billion to BEC scams. Fortunately, there are steps you can take to protect your company from OOO-based cybersecurity incidents.
Cutting Down the Risk from Out-of-Office Messages
While you may not do away with out-of-office messages, you can take some steps to reduce the security risk they carry. Consider doing the following the next time you’re away from the office:
Be careful with the wording in your email: instead of telling your recipients that you will be somewhere, simply state that you will be unavailable. Being unavailable could mean that you are still in the office but held up with other duties hence unable to reply to emails. This will keep the bad actors from knowing where you are.
Don’t provide contact info: avoid giving phone numbers or email addresses in your OOO message. Instead, tell the recipients that you will be monitoring your account for any emails that require urgent action.
Separate internal auto-responders from external ones: OOO replies are sent to everyone who emails you, whether within the company or outside. You can prevent the risk these emails pose by creating separate auto-responders for internal and external recipients. The external replies should exclude sensitive information, while the internal ones could be a little more detailed. Alternatively, you can change your email settings to ensure the auto-responder only goes to internal recipients. This way, you will protect your email from being pinged as active by an attacker.
Remove corporate information and personal details: for out-of-office replies, it’s not a wise idea to include backup contact from within the organization. If you must do so, don’t provide the title of the contact person, as this reveals the chain of command and specific roles within the company. You also want to avoid capturing personal contact information like your phone number and other sensitive details in your signature.
Train your staff: make it a habit to train your employees on security issues. For example, they should know how to identify suspicious emails, not click on attachments and links whose source they don’t know, and always verify the source of the emails they receive.
Your out-of-office messages pose a security threat to your company, although you may not be aware of it. However, you don’t have to stop using them altogether, but you can take steps to reduce the risk they carry. Cut out the personal details about your destination and don’t provide your contact details. Besides, avoid revealing too much about the co-worker who will step in for you while you’re away. Instead, keep your OOO messages short, telling recipients that you’ll get back to them as soon as you can.
If you are concerned with any aspects of your company networks and systems security, you need to contact an IT professional. Colorado Computer Support experts are here to provide reliable IT services for your company in Colorado Springs. Contact us to schedule a consultation for all your business IT needs.
How Can CCS Help You?
An IT Company In Colorado Springs Who's In Your Corner.
Ready to switch your IT service provider? Start a discussion today with CCS and experience our "client service first" approach.
Your Information Is Safe With Us. CCS will never sell, rent, share or distribute your personal details with anyone. In addition, we will never spam you.
Certified and Verified Service-Disabled Veteran-Owned Small Business (SDVOSB)
Colorado Computer Support is a local IT company certified and verified service-disabled veteran-owned Small Business. When you use our IT services in Colorado Springs, you can be confident that you are dealing with a Colorado Springs company owned by a disabled veteran and that they will be able to provide you with the best possible IT support.