Hands up if you diligently set up automatic replies when you’re going on leave? Consider me guilty as charged.
For years, travellers around the world have been warned not to post on social media while on their trip. In this modern age, it almost feels unnatural not to share with your friends and family, but the concern lies with the fact that you could be advertising to criminals that your home is vacant. An innocent reply to a friend’s comment asking about the duration of your trip may give someone all the information they need to burgle your home.
Given this well-versed advice, why then do businesses still recommend putting ‘Out of Office’ replies on when employees are on leave? Considering email is the number one vector for socially engineered attacks, it’s an open invite for attacks.
It’s a professional dilemma, as a courtesy we let people know if we’re away, and to expect a delay in our response, and to let them know who they should speak to if the matter is urgent. A warning to co-workers, clients, and suppliers of your absence.
Employees often add an automatic ‘Out of Office’ reply in the last few minutes before they clock off, usually something to the effect of:
“Thank you for your email. I am out of the office from Wednesday the 14th of September and will return on Monday the 26th at 9:00am. In my absence, please get in touch with my manager John Smith at john@example.com, or for urgent matters please contact me on 0400 000 000.”
Sometimes employees take it a step further and add that they’ll be sipping on cocktails in a tropical location, or bonding with their newborn. While it may be done out of courtesy, this seemingly innocuous message reveals an enormous amount of sensitive data.
Although most recipients won’t think twice about this information, the ‘Out of Office’ response is also sent in reply to any phishing attacks or malicious emails that may have snuck into an inbox. For anyone looking for an easy attack, they’ve now been warned that the employee won’t be looking at emails, gathered their contact details, and their co-worker or manager’s information. But the information that’s most vital to a cybercriminal is the period that they’ll be away - this gives them an exact window to plan and execute their attack.
Using the rest of the information that’s provided; the attacker could create a spoof email address which is near identical to that of the employee’s and impersonate them to colleagues in an attempt to extort sensitive information or money. Often in BEC attacks, the impersonator will claim that they’re unavailable to talk on the phone, which is legitimised by the fact that the real employee is on leave, claiming that their request is urgent.
In the FBI’s 2021 Internet Crime Report, it was revealed that complaints of Business Email Compromise (BEC) only accounted for 2.4% of all reports, but the losses totalled USD $2.4 billion – more than one-third of all losses to cybercrime in the US for the year. Although BEC scammers typically impersonate executives, if it’s made easy enough for them, no employee is immune.
A BEC attack usually follows this process:
Source: FBI - Business Email Compromise
‘Out of Office’ email best practices
In some circumstances, ‘Out of Office’ replies may be unavoidable. Businesses may require them, or an employee may be uncontactable for an extended period of time with nobody to monitor their emails. If this is the case, there are a number of things employees can do to minimise the risk to the business.
- Create a different ‘Out of Office’ message for external contacts.
External contacts need minimal information, and it’s unlikely they’ll need your mobile number or details of your leave. Instead, just keep it short and sweet, and let them know that you’re currently unavailable and will reply upon your return. If necessary, you can include more details in the response to trusted contacts. - Remove personal information
Strangers don’t need your mobile number or an alternate email address.
- Don’t include details of your trip or leave
Whether it’s for a conference, holiday, birth or death, there’s no need to include why you’re out of the office – it could just give a cybercriminal more ammo to make their lies more convincing. - Avoid mentioning co-workers name or title
In a similar vein, announcing that your manager or direct report will be covering for you in your leave provides the attacker with more information to give their story credibility. Instead, you could leave out the name, title or supply a generic business email address in case of emergencies.
Here's an example:
“Thank you for your email. I am currently away from my computer and may be delayed in my response. If the matter is urgent, please contact info@example.com and your email will be directed to an appropriate team member.”
Invest in email security
Prevention is always better than a cure, and the best defence is to proactively boost your company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial if your business is using Microsoft 365 or Google Workspace, to also have a third-party email security specialist in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard.
Talk to us
Talk to a MailGuard solution consultant today about securing your company's inboxes. You can get in touch with us by calling +61 3 9694 4444, or by emailing us at info@mailguard.com.au.
Existing MailGuard partners and clients can reach out to us here:
Australia - please call us on 1300 30 65 10
US - call 1888 848 2822
UK - call 0 800 404 8993
