We do it every time we go on vacation or take a sick day. We put up an out-of-office (OOO) message with the date of our return, a colleague’s contact information for urgent needs, and maybe even some details about the destination of our long-awaited vacation.
How an out-of-office message poses a security risk
Let’s say you’re a CFO headed to Cancun for your annual vacation. You write an out of the office message that contains:
- The dates of your departure and return
- Contact information for a colleague that will be available in your absence
- Some details about your destination
Most people don’t give this a second thought, but you could potentially be putting your company at serious risk. In the wrong hands, this information can open the door for phishing attacks and financial fraud.
By making this information public, you have unwittingly given a hacker everything they need to complete a Business Email Compromise (BEC) scam. In these BEC attacks, the hacker commits fraud by pretending to be a senior employee and will attempt to coerce the recipient into complying with a fraudulent request – such as wiring company money.
With a slightly modified email address to mirror yours, they can easily impersonate you using the personal information provided in the OOO message and exploit your absence. Knowing where you are and how long you may be gone can lead to an attempt to initiate a transfer of funds or access confidential data. They might even go the extra step and reference how great their “trip” is going just to make the message appear genuine.
These sorts of cyberattacks are more common than most might think and make up a large part of the cybercrime industry. According to the FBI, American companies have lost $12 billion to BEC attacks. The good news is there are ways to protect yourself and your company.
What are the best practices for an out-of-office message?
Whether you're taking a personal or business trip, keep in mind that information contained in your OOO message could be used against you maliciously.
What you can do:
- Create different out-of-office replies based on whether the message is going to someone inside or outside your company
- Avoid personal details
- Don't share your travel destination
- Don't provide direct insight into the chain of command
- Avoid listing your exact length of vacation
Remember: when it comes to out-of-office message best practices, less is more
Here's an example of what an out-of-office reply should look like:
To Whom It May Concern:
Thank you for your correspondence. I am currently away from my computer and may be delayed in my response.
If there is an emergency, please email contact@examplecompany.com.
Regards,
Robert
OOO messages can contain valuable information for determined attackers if too much personal information is publicly available. But with a security awareness training program and email security best practices place, you and your employees can get the upper hand against cybercriminals.
That's where ProArch comes in with our comprehensive cybersecurity services.