Search

What your out of office message is really saying

Many of us have been taking a well deserved break away to re-energise after months of restricted work environments. The last thing we do before shutting down our computers? Turn on our out of office with a friendly message to detail how we wont be getting back to anyone any time soon.


Unfortunately, the content of this regularly used automated response can walk us right into the hands of threat actors and cybercriminals. Here's why.


Email is the number one threat vector for socially engineered attacks, simply because humans are the weakest link in our highly protected digital environments. Here's an example of a standard out of office message, which 93% of us set up in some form. This contains:


  • The employee’s full name.

  • Where the employee is and what they are doing there.

  • How long the employee will be gone.

  • The employee’s contact information (including a cell phone number).

  • The full names and details of two colleagues, one of which is identified as the supervisor, which reveals a chain of command.

  • Other useful personal info, such as a nickname.




One-third of employees also share information (including pictures) about travel on social media. Armed with names, return dates and the ability to search social profiles, all this information provides a hacker with detail they need to script a convincing email impersonating the person out of the office or a colleague.


With a known timeframe, cyber criminals will try any and all options to access company information, bank accounts, money transfers, IP or further personal information in order to launch wider attacks.


So what can we do to let those trusted colleagues, clients and acquaintances know we aren't available right now?

  • Set up two versions (internal / external) of your out of office message, one for your colleagues with more detail and one for everyone else.

  • Remove corporate information, with the exception of anything immediately available on the public website (ie url)

  • Remove your personal information

  • Keep replies brief, vague, and non committal. ie "Hello, I am currently unavailable, but am periodically reviewing my emails. I appreciate your message and will get back to you as soon as possible."

By being aware of the detail we are revealing, we are further ahead in supporting a secure, safe digital environment. At Fusion, we have been through rigorous security awareness training and use Cofense to provide another layer of defense over email to ensure our company and staff are protected.