Out-Of-Office Message Security Issues

Many people love the idea of using an electronic out-of-office notification message when they are away from the office.  These automated messages are great for letting colleagues, vendors, and friends know that you're out and won't be able to respond.  Conveniently, you can add to your message the the start and end dates of your vacation, a way for people to get hold of you in an emergency, or how to contact your boss or co-worker for emergencies. Even maybe make your callers jealous by telling them exactly where you are and what you are doing. Sounds great, right?

Wrong! You never know who's going to receive that information.  If you are not careful, you'll be sharing this information not only with those who need it, but also with spammers, phishers, common thieves, identity theft rings, and other criminals.  Giving away too much information can cause problems for you, your employer, and your coworkers or friends.

Think of the implications...  Depending on what you put in the out-of-office message, then:

  • People might know when you won't be home, so they can plan home invasions or other property thefts of your home address or office.
  • People might know your chain of command, co-workers names, work titles, etc.  This can be useful in "phishing" or other social engineering attacks.
  • People might know where you are staying while away, allowing them to stalk you or to use that information in social-engineering attacks.
  • People might know enough about you, from the out-of-office message or combined web and social media searches, to attempt identity theft against you.
  • People might know that your e-mail address is valid.  Spammers send to a list of e-mail addresses, many of which are not valid.  Providing them with an out-of-office reply lets them know your email is valid and active, allowing them to resell your email address as a confirmed address, and meaning you'll likely get targeted with even more spam in the future.
  • People might know your business is closed for a long holiday period, and that "no one is managing the shop".  What better time to try to hack your systems than when people are away from the office en mass?

This doesn't mean you should stop using out-of-office messages -- just that you should take some precautions to post safer out-of-office messages.  The general rule is to add as few specific details as possible, and not to put in anything you wouldn't announce to a room full of strangers.  Some specific ways to protect yourself are:

  • If your mail client allows it, set it up to only send an out-of-office message to your work e-mail domain, or to send different messages to your work e-mail domain and all other e-mail domains.
  • Don't list job titles or your chain of command in your out-of-office messages.
  • Keep your messages short, simple and vague, revealing only what you absolutely must.
  • Don't advertise the start date – the recipients don't need to know that.  The only date they need, if you give them one, is the date you return.
  • Don't provide contact information for while you are away. Simply say to contact someone else, or that you will check your e-mail as soon as possible.
  • Remove your e-mail signature.  Your e-mail signature is usually appended to your out-of-office message, and may reveal additional information.  You can enable it again when you return.
  • Don't promise to reply by, or at, a certain date.
  • If possible, specify a generic e-mail address for them to contact instead of a named account (examples of such generic addresses might be help@cns.utexas.edu, or chair@physics.utexas.edu).

A real simple, basic out-of-office message that doesn't reveal too much might be something like:

Thank you for your email. I'm not available right now, but your message is important to me and I will reply as soon as possible.  Thank you!

If you follow these suggestions, you should be able to relax and enjoy your vacation (or conference, or whatever) without worrying about criminals taking advantage of you.

Written by CNS OIT staff
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.

See also: E-Mail, Security