Your Out-of-Office Message Could Be a Security Risk

Whether you're taking a personal or business trip, keep in mind that information contained in your out-of-office email could be used against you in a malicious matter.

out-of-office security best practices


The typical out-of-office contains:

  • The dates you are returning and leaving your destination
  • Contact information for a supervisor or co-worker they can get in touch with while you're away
Most people won't give this information a second thought, but to the wrong person this is all they need. Knowing that you're out-of-office is a door opener for social engineering tactics like phishing emails. 

Say you're a CFO on vacation. Because of information contained in your out-of-office message an attacker now knows you're away and who to contact. By impersonating your email address, the attacker sends an email instructing your assistant to make a wire transfer. They might even go the extra step and reference how great their trip is going just to make the message appear real.

You're probably thinking, 'this would never happen to my company!' Think again. iV4 has witnessed multiple successful wire transfers that originated from a phishing email that impersonated a member of the c-suite.


Security Awareness Training content


What can you do:

  • Create different out-of-office replies based on whether the message is going to someone inside or outside your company
  • Avoid oversharing
  • Don't share your travel destination 
  • Don't provide insight into the chain of command
  • Avoid listing your exact length of vacation

Here's an example of what an out-of-office reply should look like:

out-of-office security best practices


Out-of-office messages are a valuable target for determined attackers, but through security awareness training it is a threat that can be contained. Security Awareness Training is included in the monthly cost of iV4's Security Managed Service

Learn more about iV4's security solutions



Get IT tips and insights right to your inbox. Subscribe to the iV4 Blog: