Skip to main content

Here's why you shouldn't set your out of office email over Christmas

(Image credit: Shutterstock.com / Brian A Jackson)

Workers heading off on Christmas holidays have been told to check to ensure their "Out of Office" auto replies aren't giving away valuable information.

Security experts have warned that such emails may be revealing more details than expected, information that could be used by cybercriminals to compromise corporate networks.

Phishing campaigns targeting enterprise accounts or businesses often look to impersonate legitimate employees using real-looking formatting and design features such as email signatures, all of which could be gained from an Out of Office auto reply.

Offline

The warning comes from security firm Proofpoint, which is urging its customers to check that their auto replies don't give away too much information.

“A big part of enjoying your time off is having an automated assistant to let people know you’re away, so they don’t think you’re ignoring them. The problem with a detailed out-of-office reply is that bad actors learn you’re away and/or offline," said Mark Guntrip, Director of Product Marketing at Proofpoint. 

Guntrip notes that such emails allow hackers to attempt to compromise your account, knowing the exact amount of time they have to impersonate or otherwise spoof your identity before you return to the office.

Popular targets include external-facing workers that have access or are in close proximity to sensitive data, or those who can influence operations, such as accounting, HR, and even executives.

“Once inside your account, there is almost no limit to the amount of damage cybercriminals can do in your name because employees consider you a trusted source. They can send malware, solicit personal information from coworkers (W2s), or even request funds be directed improperly/invoices be paid to fake entities." 

Proofpoint is advising users that if it is not critical, do not activate an out-of-office reply full of contact details, keeping the message brief and concise.

Instead, the company recommends send an email to all appropriate contacts letting them know you will be offline, and include a note that you must verbally confirm any requests for financial wiring, payments, or sensitive data during your time off.