Whether you're taking a personal or business trip, keep in mind that information contained in your out-of-office email could be used against you in a malicious matter.
The typical out-of-office contains:
- The dates you are returning and leaving your destination
- Contact information for a supervisor or co-worker they can get in touch with while you're away
Say you're a CFO on vacation. Because of information contained in your out-of-office message an attacker now knows you're away and who to contact. By impersonating your email address, the attacker sends an email instructing your assistant to make a wire transfer. They might even go the extra step and reference how great their trip is going just to make the message appear real.
You're probably thinking, 'this would never happen to my company!' Think again. iV4 has witnessed multiple successful wire transfers that originated from a phishing email that impersonated a member of the c-suite.
What can you do:
- Create different out-of-office replies based on whether the message is going to someone inside or outside your company
- Avoid oversharing
- Don't share your travel destination
- Don't provide insight into the chain of command
- Avoid listing your exact length of vacation
Here's an example of what an out-of-office reply should look like:
Out-of-office messages are a valuable target for determined attackers, but through security awareness training it is a threat that can be contained.