The Dangers of Out-of-Office Auto-Reply Messages

By Emile Greyling Adapted from Andy O’Donnell



You never know who you’re replying to.

Lots of professionals use out-of-office email messages to inform clients and co-workers about their absence and provide contact info while they’re away.

It seems like the responsible thing to do, but it isn’t, necessarily. Out-of-office messages can be a major security risk. Out-of-office replies can potentially reveal a huge amount of sensitive data about you to anyone who happens to email you while you’re away.

Example of a Common Out-Of-Office Reply.
I will be out of the office at the XYZ conference in Burlington, Vermont, during the week of June 1-7. If you need any help with invoice-related issues during this time, please contact my supervisor, Joe Somebody at 555-1212. If you need to reach me during my absence you can reach me on my cell at 555-1011.
Bill Smith – VP of Operations – Widget CorpSmithb@widgetcorp.dom555-7252.

While the above message may be helpful to some, it reveals a wealth of potentially sensitive information to others. Criminals or hackers can use that data for social engineering attacks.

The example out-of-office reply above provides an attacker with:

Current Location Information.
Revealing your location aids attackers in knowing where you are. If you say you’re in Vermont, then they know that you aren’t at your home in Virginia. This would be a great time to rob you. If you said you were at the XYZ conference (as Bill did), then they know where to look for you. They also know that you’re not in your office and that they might be able to talk their way into your office saying something like:

Bill told me to pick up the XYZ report. He said it was on his desk. Do you mind if I pop in his office and grab it?” A busy secretary might just let a stranger into Bill’s office if the story seems plausible.”

Contact Information.
The contact information that Bill revealed may help scammers piece together elements needed for identity theft. They now have his e-mail address, his work and cell numbers, and his supervisor’s contact info as well.

When someone sends Bill a message while his auto-reply is turned on, his e-mail server will send the auto-reply back to them, which confirms Bill’s e-mail address as valid. Email Spammers love getting confirmation that their spam reached a live target. Bill’s address will likely now be added to other spam lists as a confirmed hit.

Place of Employment, Job Title, Line of Work, and Chain of Command.
Your signature block often provides your job title, the name of the company you work for (which also reveals what type of work you do), your e-mail, and your phone and fax numbers. If you added “while I’m out, please contact my supervisor, Joe Somebody” then you just revealed your reporting structure and your chain of command as well.

Social engineers could use this information for impersonation attack scenarios. For instance, they could contact your company’s HR department pretending to be your supervisor and say:

This is Joe Somebody. Bill Smith is off on a trip and I need his ID Number so I can correct a company form.

Create a Safer Out-of-Office Auto-Reply Message.
Instead of saying that you will be somewhere else, say that you will be “unavailable.” Unavailable could mean you are still in town or in the office taking a training class. It helps keep the bad guys from knowing where you really are.

Don’t Provide Contact Info.
Don’t give out phone numbers or emails. Tell them that you will be monitoring your email account should they need to contact you. and forward mail to someone who can read it. or just state contact our office.

Avoid Personal Information and Remove Your Signature Block.
Remember that complete strangers and possibly scammers and spammers may see your auto-reply. If you wouldn’t normally give this signature info to strangers, don’t put it in your auto-reply.

They can also use your signature to better impersonate you.







IT Experts are specialists in this field. Contact us for any assistance that you need.

In a matter of minutes we can remotely log into your computer – safely and securely – to assist you with any issues you might experience.

What is remote support? Click here to find out.