The Security Risks of Out-of-Office Autoreplies

Tim Bixley
23/12/2024

Setting an automated out-of-office (OOO) email reply is a standard practice during the holiday season to keep customers and suppliers informed and provide alternative points of contact. However, these replies can unintentionally expose your business to significant cyber security risks, as email remains the leading vector for socially engineered attacks. OOO messages often include details about our whereabouts and other personal information, overlooking the potential dangers. Cyber criminals, such as spammers, hackers, and scammers, can easily harvest and exploit this information, turning OOO replies into a valuable resource for targeted attacks.

 

Common out-of-office (OOO) emails follow the lines of:

Hello,

Thank you for your email. I am out of the office from the 8th of January till the 20th of January. I will be in the Gold Coast of Australia, so I will not be checking emails. If you need any assistance over this time, please contact my manager [name] at name@yourcompany.com, or for urgent matters, contact me on 027 1234 567.  

Kind Regards,

[Name]

 

This message appears trivial, but from a cyber security standpoint, it provides attackers with information about when you will be away, that you won’t be checking emails, and multiple contact points, including your team members.  

So, what are the potential risks?

  • OOO autoreplies are also sent in response to phishing attacks or malicious emails, providing attackers with all this information.
  • Using this information, the attacker could create a spoof email address and impersonate you to exploit company information. It also confirms your email address is valid, making it a prime target for spammers.  
  • Disclosing your current location, informs potential attackers about your whereabouts. This information can be used in many ways, from impersonation attempts at your workplace to physical theft.
  • Email signatures also often includes an individual’s job title, company name, and contact details. If you've also mentioned your manager, you've provided insights into the organisational structure.

 

How to create safes OOO replies

First, consider whether an OOO email is necessary. Most would assume that an office worker would not be working on weekends and holidays, so it may not be necessary if it is within the usual holiday break time. If you check and reply to emails from time to time while you are away, there is likely no need for an OOO. If it is an urgent email, you will see this and reply with help or guide them to someone who can and anything else can be left until you have returned.

 

In some circumstances, ‘Out-of-Office’ replies may be unavoidable. If this is the case, there are several things' you can do to minimise the risk to the business:

  • Create a different OOO message for external contacts. External contacts need minimal information. You can include more details in the response to trusted contacts if necessary.  
  • Remove personal information. Strangers do not need your mobile number or an alternate email address. This includes your signature block which often lists your job title, company name, and contact details.
  • Be vague about your whereabouts and length of leave. Instead of specifying your location, state that you will be "unavailable." This keeps potential attackers unaware about where you will be and how long you will be away.
  • Avoid mentioning team members names or titles.

 

A better example for an OOO email:

Hello,

Thank you for your email. I am currently away from my computer, so I may be delayed in response.  

For support, please contact support@companyname.com or call our office on 0800 123 456. Otherwise, I will respond to your email upon my return.

Kind Regards,

[Name]

With a few simple precautions, you can uphold professional courtesy while protecting your personal and professional information this holiday season and beyond!