Summer is upon us and so are vacations— big and small. You’re finishing up last minute details in the office, saying goodbye to co-workers and, of course, remembering to set your out of office reply.

The OOO, or out of office, reply is crucial to making sure both co-workers and clients are aware of your absence and who to reach if something cannot wait. But it is also a potential treasure trove of info for a bad actor.

An Out of Office Reply Example

Let’s look at the following example taken from a security test Access Systems ran* to explore the dos and don’ts of writing an out of office message:

Thank you for your email. I am on vacation to Aruba until March 3rd. If you need Sales assistance please contact Deb at 515-262-XXXX. For Inventory help: contact Greg or Phil at 515-265-XXXX

Signed,

Mary Smith

The Don'ts of an Out of Office Reply

Let’s look at what this reply means to a cyber attacker.

First, it validates an email address for future phishing campaigns. Often times, phishing messages are sent without knowing if the address is accurate.

Next and most importantly, it creates the ability to establish rapport with your co-workers. By providing where you are going and being specific about who to contact, you give a bad actor, or cyber attacker, information to now start vishing or targeting employees’ inboxes.

A few searches of social media, or social engineering, could give an attacker an opening like this:

“Hi Deb, this is Mike Winter, I had spoken to Mary before she took off with her husband for Aruba about looking at an invoice. Could I send it over to you?”

This opening works to establish trust between your business and the cyber attacker, potentially giving the attacker an opening into your entire system.

If Deb opens “Mike’s” invoice, numerous options now exist for the bad actor. Even if Deb is not comfortable with this and declines, the attacker could reach out to others included in the reply or even use their names, as well as Mary’s, to further legitimize their request to get this invoice sent.

The Dos of an Out of Office Reply

So, how do you avoid giving away too much information?

NEVER disclose the reason you are out of office. This creates a risk, not just concerning social engineering attempts, but also as a burglary risk to your home. 

In addition, most email systems allow you to craft a reply to both addresses internal and external to your company’s network. An internal OOO reply, for instance, can be a bit more specific in who to escalate issues to with names and numbers, if the company is large enough. Externally, you should rely on generic mailboxes (sales@, help@ etc.) to handle outsider’s needs.

As you finish your last few tasks before that long deserving vacation, look over your Out of Office reply and make sure you have not given an outsider too much information.

Protect Yourself from a Phishing Attack

Out of Office replies are just the tip of the iceberg of phishing attacks. Make sure you are protected against spear phishing attacks as well, with these tips.

Do you want to take the next step in increasing your cybersecurity? Partner with an elite managed IT provider, like our team at Access Systems. 

*Names and numbers have been changed to protect the business.