Christmas Out of Office Message Security Threats
Wednesday 20 December 2017Christmas is here and you can finally take that well earned break visiting your relatives. If you worked in an office for a larger company then you would put an out of office message on your email but if you work from home should you tell everyone that you are going away?
Whilst it is probably not true that thieves steal lists of out of office auto-replies it has often struck me that local opportunistic burglars (and they do exist) or worse (more about that later) might receive an out of office reply from you and because they know where you live they will use this intel and perhaps cross-reference it against your social media to check if your home is vulnerable while you are away.
Bear in mind that all the spam that you receive will generate an out of office message. Do you really want to tell folk that illegally use your email address more of your personal information?
As with all security measures you must balance the risks against the benefits of doing an action. It might be that you consider it essential to provide a message and that is fine but you can mitigate the risks by limiting the information that you provide.
Many out of office messages state the period during which you will be away as something like "22nd of December until the 3rd of January". This is gold dust not only to a burglar but more importantly in our more sophisticated age it makes you vulnerable to other types of attack such as identity theft in which a fraudster uses that time window to impersonate you or defraud you.
Sometimes the auto-reply will even say where you are going, whether it is the name of the country or a conference that you are going to. There is no need to provide this information.
Providing alternate contact information in an auto-reply such as "while I am away please contact Bob Bobbington on bob@bobbington or phone him on 07899 999999" magnifies the risk because it makes you vulnerable to spear phishing attacks. Imagine a hacker (known as a social engineer) contacts your colleague with a convincing sounding story along the lines of "Hi Bob, Janice said she would send me some information before she went on holiday..." and tricks Bob into providing information that you would not want provided. Using a generic email address such as email@example.com eliminates much of this risk.
Being aware of these risks will help you to make the most appropriate decision for your particular situation. If you do need to supply an out of office message limit the information that you provide in it. Being intentionally vague with a generic message such as this might do the trick:
"During the Christmas period I'll be enjoying the festivities and checking my email less than usual. Normal service will resume after the holidays but if your message is urgent please contact firstname.lastname@example.org."