You’re headed off for a well-deserved vacation. All your cases are covered. All loose ends are tied up.
You start to turn off your computer – but before you do, you remember to leave an out-of-office auto-reply email message.
Smart move, right? Maybe not.
Cyber-security experts urge caution when using email auto-reply. They say it gives hackers and scammers too much personal information – and it might even open doors for them to sneak in while you’re gone.
Why Hackers Love Auto-Reply
Consider the following sample email auto-reply message:
Thank you for your contacting me. Please be advised that I will be out of the office from March 3 through March 7, attending a cyber-security conference in Concord. I will not be checking my email during this time. If this is an urgent matter, feel free to contact my assistant, Joe Wrighthand, directly at 919-354-6438 or firstname.lastname@example.org.
Just by reading your auto-reply, bad guys will acquire a lot of personal information about you and your whereabouts. For instance, they now know:
- You are not in the office.
- You are not even in town – you are in Concord.
- You will be gone through March 7.
- Your assistant is Joe Wrighthand.
- Your assistant has at least some authority to conduct business in your absence.
- Your assistant has a direct phone line and a separate email address.
Imagine the nefarious ways a naughty person might use this information.
The most important information spammers receive from an auto-reply is proof of an active and functioning email account. Once they have this in hand, you become a target for future spam and phishing schemes. Your email address might be shared or sold on the black market.
“The best practice is to avoid using the out-of-office auto-reply at all,” advises Andy O’Donnell at Net Security. “Skip the auto-reply, call your important customers and family and let them know how to reach you. If you feel you must use an auto-reply, be extremely vague in your language. State that you will be unavailable, which will provide uncertainty as to whether you are out of town or just in a long (local) meeting. Remove your signature block and avoid providing any personally identifying information.”
Ways to Avoid Trouble
There are two principal dangers in auto-reply messaging: (1) you have no control over who sees the message, and (2) you have no control over what they do with its contents.
Here are some ways to side-step the danger:
- Come up with an office policy. Make sure everyone is on the same page. “Prepare and implement a security policy or user agreement, so users know the company policies with regard to protecting information,” says Professional Liability Matters. “The policy should note what information can be divulged in an out-of-office notification.”
- Report suspicious behavior. Alert everyone in the office to potential holes in the system.
- Don’t drop names unnecessarily. A thief who knows not only your name but also the name of your trusted assistant – and perhaps the name of the city, hotel and conference you are attending – can cause mischief.
- Less is more. Be vague in your out-of-office message. Very vague. Leave the details for direct communications.
- Use different messages. “If possible, utilize one message for internal responses and another for e-mails from out-of-office contacts,” advises one expert.
- Block potential spam. Ask your IT manager to configure your account so it either blocks messages from Internet addresses or does not reply to them.
- Reply only to trusted sources. Configure your account so that it only sends an auto-reply to specified clients, members of a user group or those who are on your contact list.
- Remove your email signature from the auto-response. This seemingly harmless detail is packed with information that can be used by scammers.
And finally, make sure those who are in the office know how to reach you if red flags pop up while you are away. This assures immediate, direct action to deal with problems before they explode.
Jay Reeves a/k/a The Risk Man is an attorney licensed in North Carolina and South Carolina. Formerly he was Legal Editor at Lawyers Weekly and Risk Manager at Lawyers Mutual. Contact email@example.com, phone 919-619-2441.
- Professional Liability Matters http://professionalliabilitymatters.com/2014/02/13/the-risks-of-auto-reply-messages/
- Net Security http://netsecurity.about.com/b/2010/09/11/are-out-of-office-auto-reply-emails-a-security-risk.htm
- AVG Resources http://resources.avg.com.au/security_risks/email-auto-replies-security-risk/#