How Out-of-Office Replies Put You at Risk
Ah, the innocuous out-of-office notification message. Who in the corporate world hasn't used it at one time or another?
Sure, the out-of-office function built into Microsoft Outlook and similar email software is great for letting colleagues, customers, vendors and even friends and acquaintances know that you're lying on a beach in Hawaii, sipping a Mai-Tai or two — and that you won't be able to respond.
Since you can't, or don't want to, respond while you're on vacation or away for some other reason, you include a way for people to contact you in an emergency.
You also include the name and contact information of your boss or co-worker. You'll probably also tell people how long you'll be away and when you'll be back in the office.
No big deal, right?
Wrong. You never know who's going to see that information, according to security experts.
Giving away too much
"In many enterprises today, guarding against data breaches and targeted attacks is one of the top concerns of IT administrators," Trend Micro researcher Roland Dela Paz said last fall in a blog post.
"One of the things that administrators guard against is reconnaissance and targeting of any potential high-value personnel who may fall victim to a targeted attack," Dela Paz noted. "A less obvious source of information leakage, however, is the humble out-of-office notification."
Security expert Andy O'Donnell, network security guide at About.com, has seen a lot of "crazy stuff" in out-of-office replies.
"It's amazing what people put in them and reveal about themselves," O'Donnell said. "My rule of thumb is, 'If you wouldn't tell a room full of strangers the information, you shouldn't put it in your out-office-reply.'
"One of the things people put in is their chain of command — who their supervisor is."
O'Donnell said that sort of information could be very useful to people performing social-engineering attacks on companies.
"They could [use that information] and contact a department of that company claiming to be the supervisor of that person and they could get that person's Social Security number if people aren't thinking on their feet," O'Donnell said.
Please rob me
"There's a lot of revealing information there," O'Donnell added. "If someone is going on a trip, you obviously know that they're not going to be at their house."
A lot of burglars are trolling on Facebook looking for just that kind of information, but leaving it in an out-of-office reply just makes it easy for them, he said.
"A lot of times, people will tell you exactly where they're going to be — if it's a conference, for example — and that could be potentially dangerous," O'Donnell said.
"If someone wants to track you down at that conference, they'll know exactly where you're going to be, what your name is, your cellphone number — just a lot of information that doesn't need to be out there and could be going to anybody, potentially."
One of the problems is that companies aren't really aware of the security risks of out-of-office replies.
"I have a newsletter that I send out to subscribers for About.com, and when my newsletter goes out, it will prompt an out-office-reply for a lot of people," O'Donnell said. "There's so much information that people put in those, all their contact information, what their supervisor's name is, who to contact for invoicing or things like that.
"They put a lot of their business in those replies when they don't know who's going to get them. It could be a complete stranger on the Internet, or a spammer or a scammer. Anybody could send you an email, and that auto-reply is going to do its job and send a reply back to them."
How to hold back
O'Donnell has some tips for users and IT administrators to create safer out-of-office notification messages:
— Set up your mail client to send different out-of-office notifications to people outside your organization than to people inside your company.
— Have a security policy in place for rules of behavior. Have a user agreement so users are aware of what the company's policies are in terms of information security and protecting information.
"Companies should include what information can be divulged in out-of-office notifications in this policy document," O'Donnell said. "For example, 'You will not list your chain of command in an out-of-office reply.'"
— Don't reveal too much information. Be intentionally vague. If you have to leave an auto-reply, don't say you'll be in Hawaii; say you'll be unavailable. Instead of giving strangers your cellphone or home phone number, tell them you'll be checking your email.
— Leave all of your personal information out of your signature block.
"If you wouldn't give this information to a complete stranger, don't include it in your out-of-office notification," O'Donnell said.