Taking Time Off? What Your Out of Office Message Tells Attackers


As more people are vaccinated and free to live a more normal life again, vacation plans, trip pictures and conference hashtags will flood social media sites. Phone calls and emails to colleagues will be met with out of office (OOO) messages. You might feel happy for that person, or maybe a little jealous that they are getting away. You should also feel concerned for their security well-being.

Out of Office Message Cybersecurity for Travelers

No one thinks much about cybersecurity while traveling. However, email security company Tessian warns the out of office message actually plays right into the hands of threat actors and cybercriminals. It’s a social engineering attack vector that no one thinks about. The out of office message is ubiquitous and handy. But if it includes any personal information at all — such as attending a funeral or going out of the country — attackers have all the information they need to impersonate the person who is out of the office, without the attacker having to do any real work.

“Many people reveal details about their personal lives in an OOO — like where and when they’re traveling,” Tim Sadler, CEO of Tessian, explains in an email interview. “Whether done on social media or in an auto-reply message on email, this arms hackers with the information they need to either craft a convincing email targeted at the OOO employee or impersonate the person who is on vacation and target one of their colleagues.”

What Cyber Criminals Learn From an OOO Message

One-third of employees share information about business travel, including pictures, on social media, Tessian found. Many will also have advance leave notification in email signatures or add details about their time off in their OOO responses, such as when they plan to return to work or the details of the conference they are attending. This might appear safe because this isn’t personal travel. After all, it is a work trip, and an out of office message is no big deal.

But this absence of basic travel cybersecurity is a problem. Email is the number one threat vector for socially engineered attacks. An automatic reply message not only sends the information to designated contacts, but it also bounces back to people who send phishing emails. Threat actors use any details found in OOO messages to craft targeted social engineering messages. Well-targeted messages build trust that threat actors take advantage of.

“For example, if a hacker knows that the chief financial officer of a company is OOO, thanks to the information in the auto-reply message, an attacker could impersonate the CFO on email and target another individual in the company’s finance team asking them to make a payment or update bank details for them while they are offline,” says Sadler.

Or, announcing a trip on social media could result in email or social media offers too good to be true. It could open the door to spoofed travel details from an airline or hotel from thieves looking for credentials. Because so many employees use the same credentials for business and pleasure, this can put the organization at risk of an attack.

“With 76% of people reusing passwords, hackers only need to guess one to gain access to multiple accounts,” Sadler says.

Cutting Down on Risk From Your Out of Office Message

You don’t have to stop using OOO messages. Instead, they need to be used wisely. It’s okay to suggest an alternate contact while you are unavailable or add a date when you will be back in action. Just skip the details about why you set up the out of office message. No one needs to know that your son is getting married in Paris. Remove any personal details in that message, including personal cell phone numbers or an alternate email where you can temporarily be reached.

So, skip saying you are in Las Vegas attending your favorite conference with the hopes of seeing a show or finding some time to play the slot machines. Even if other colleagues are going to the same conference, just say you will have limited email accessibility for the week and will return the message as soon as possible. Rather than an Instagram post with the view outside your window and naming the hotel as soon as you arrive, save the photos for a limited audience upon your return. Finally, consider adjusting your settings so that your out of office message is sent to contacts only.

“It’s not about removing the OOO response altogether,” says Sadler, “but instead pausing to consider what details you’re including.”

The post Taking Time Off? What Your Out of Office Message Tells Attackers appeared first on Security Intelligence.