Out-of-office replies: How not to spill too many beans

The hidden dangers of out-of-office messages.

Before a vacation or business trip, many employees configure an autoreply to incoming e-mails so that clients and colleagues know who to contact in their absence. Usually such messages include the duration of the trip, contact details of cover staff, and sometimes information about current projects.

Autoreplies may seem harmless, but they can be a business risk. If an employee does not restrict the list of recipients, the autoreply will go to anyone whose e-mail ends up in the Inbox folder — and it could be a cybercriminal or spammer who has managed to bypass the filters. The information in the autoreply could even be enough to carry out a targeted attack.

One line, big trouble

In the case of spammers, the autoreply lets them know that the email address is valid and belongs to a specific person. It tells them the person’s first name, last name, and position. The signature often contains a phone number, too.

Spammers usually fire out messages to addresses from a huge database, which gradually becomes outdated and less effective. But when a real person is detected at the end of the line, the cybercriminals mark them as a viable target and start mailing much more often. They may even call. But that’s far from the worst of it.

If the autoreply is sent in response to a phishing e-mail, the information it provides about cover staff, including their names, positions, work schedules, and even telephone numbers, can be used to organize an effective spear-phishing attack. The problem doesn’t affect just large companies. In fact, autoreplies are easy pickings: data treasure troves for all kinds of social engineering purposes.

What might cybercriminals do

Imagine that Peter goes on vacation, leaving a detailed auto reply. For example: “I will be out of the office until March 27. For issues concerning the Camomile project, please contact Tati (e-mail, phone number). The Medusa redesign is being handled by Andrew (address, phone number).”

Now, Andrew receives a message that appears to be from the director of Medusa LLC. Referring to a prior discussion with Peter, the cybercriminal asks Andrew to view a potential UI design. In such a situation, Andrew is likely to open the attachment or follow the link, thereby putting his work computer at risk of infection.

What’s more, cybercriminals can worm out confidential information through an e-mail exchange by referring to the absent employee and their supposed work history together. The more they know about the company, the more likely the stand-in employee will forward internal documents or cough up a commercial secret.

What to do

To prevent autoreply headaches, a sensible out-of-office message policy is required.

  • Determine which employees really need to use them. If an employee handles only a couple of clients, she can notify them of her absence through a one-off e-mail or by telephone.
  • For employees whose tasks are all being covered by just one person, it makes sense to use redirection. Sure, it is not always convenient, but it guarantees that important messages will not be missed.
  • Recommend that employees create two autoreply options — one for internal and one for external addresses. More detailed instructions can be added to the message for colleagues, but outsiders should get the bare minimum.
  • If an employee corresponds only with colleagues, eliminate autoreplies to external addresses entirely.
  • In any case, advise staff that autoreplies should not contain superfluous information. Names of product lines or customers, phone numbers of colleagues, information about where the employee went on vacation, and other details are redundant.
  • And on the mail server, use a security solution that automatically detects spam and phishing attempts, and scans attachments for malware at the same time.