Skip to content

Is your out-of-office a security risk?

Out of Office Security Risk

It’s that time of year where many of us are digging out the sun cream, packing our swimming costumes and looking forward to a well-earned break. As the last few days of work loom no doubt you’ll be turning on your out-of-office notice. But wait… before you just enable the same old message, have you thought about the risks of an out-of-office message?

What risks?

Many hackers will send spam emails just to see if the email address works. If they get a ‘non-delivery’ error they know the mailbox doesn’t exist and simply delete the email from their list. If they get no reply at all that must mean the mailbox works so they keep the email address. Better still if they get an out-of-office message… well that’s like striking gold!

The wrong out-of-office message

Here is the most typical out of office message we see. Perhaps yours look a bit (or a lot) like this?

“Hi,

Thank you for your email. I am currently on annual leave with very limited access to my emails and will return to the office on the 30 July 2021. I will attend to your email on my return or you can email my P.A. – Sandra Gillingham at [email protected]

Kind Regards,
Abe Almosawi
Managing Director”.

That seems a good reply to send to anyone who emails you while you’re on the costa del Devon right? It is, but for a hacker, it’s also a gold mine of information they can use. Let’s break down what they can get out of your reply…

The hackers dream

No access to email

Telling a hacker you have no (or limited) access to your email informs them that they can start hacking your account without being noticed. They know you probably won’t read those messages you get emailed about ‘unusual activity on your account’.

Away until

Knowing you are away until a set date takes the pressure off the hackers. They know you are away and how long for! Now they can really set to work guessing your passwords.

Name & Rank

In the signature is your full name & job title. Perfect fodder to engineer a fake email template.

Holiday snaps

Using your out of office information the hacker also finds your Social Media account. They see snaps of you sunning yourself on the Pembrokshire Peninsula!

Colleagues details

And, if all this isn’t enough, you’ve also just published your colleagues’ details to the hacker’s database. Giving away their name, role in the business and their email address. The hacker will keep this information stored for a future job.

The Attack!

So with very little effort, the hacker(s) has gathered a whole heap of information about you and your business. So what do they do with all that information?

The most common use is to spoof your email address. They will likely register an email address very similar to your own. For example [email protected]_it.co.uk. (Can you spot the difference that makes that address fake?).

Next, and this is the centrepiece, they will send an email from the fake address asking for more information. For example…

“Hey Sandra,

I’m trying to set up my email on a new device here in Pembrokeshire but it’s not accepting my password. Please can you have I.T. change it to Peninsula-2021-Fun real quick. I’m expecting an email from a potential new client so it’s critical we get it done before I head off to the beach for the day.

Thanks,
Abe”

That attack is followed up by an even more time pressured email within 10 minutes or so. All this is to put pressure on your colleagues to open up your email account to the hackers. Once they have access to the mailbox they can then intercept all sorts of conversations including invoice conversations.

Worse still, with access to your mailbox, they can go ahead and reset passwords to all your other online accounts.

What no out of office?

So is the solution to have no out-of-office at all then?

Not quite. We love a good out of office but recommend you put far less information in there. Something like this maybe…

“Hi,

I’m currently out of the office and will reply to your email as soon as I return.

Kind Regards,
Abe”

As you can see it doesn’t say why, where or how long but it still lets the sender know that I’m not in the office. Safe and simple.

And don’t forget out-of-offices are only sent once to each sender. So if a hacker gets this simplified out-of-office and tries again later, they won’t get another out-of-office. So are you back in the office or still away? Who knows – certainly not the hacker!

If you need help checking or setting your out-of-office please contact our support team on 03333 055 055.

review

Don’t miss out on our next article…


If you didn’t get this article in your email then simply fill in this form to be sure you don’t miss out on the next one.

Blog post signup form
Never shared, never spammed. Unsubscribe any time.

Great Article? Share it with others...
Print page Subscribe

Discussion

No comments yet.

Leave a reply...

Your email address will not be published. Required fields are marked *