Data Protection May 21, 2021
By Sue Poremba 3 min read

As more people are vaccinated and free to live a more normal life again, vacation plans, trip pictures and conference hashtags will flood social media sites. Phone calls and emails to colleagues will be met with out of office (OOO) messages. You might feel happy for that person, or maybe a little jealous that they are getting away. You should also feel concerned for their security well-being.

Out of Office Message Cybersecurity for Travelers

No one thinks much about cybersecurity while traveling. However, email security company Tessian warns the out of office message actually plays right into the hands of threat actors and cybercriminals. It’s a social engineering attack vector that no one thinks about. The out of office message is ubiquitous and handy. But if it includes any personal information at all — such as attending a funeral or going out of the country — attackers have all the information they need to impersonate the person who is out of the office, without the attacker having to do any real work.

“Many people reveal details about their personal lives in an OOO — like where and when they’re traveling,” Tim Sadler, CEO of Tessian, explains in an email interview. “Whether done on social media or in an auto-reply message on email, this arms hackers with the information they need to either craft a convincing email targeted at the OOO employee or impersonate the person who is on vacation and target one of their colleagues.”

What Cyber Criminals Learn From an OOO Message

One-third of employees share information about business travel, including pictures, on social media, Tessian found. Many will also have advance leave notification in email signatures or add details about their time off in their OOO responses, such as when they plan to return to work or the details of the conference they are attending. This might appear safe because this isn’t personal travel. After all, it is a work trip, and an out of office message is no big deal.

But this absence of basic travel cybersecurity is a problem. Email is the number one threat vector for socially engineered attacks. An automatic reply message not only sends the information to designated contacts, but it also bounces back to people who send phishing emails. Threat actors use any details found in OOO messages to craft targeted social engineering messages. Well-targeted messages build trust that threat actors take advantage of.

“For example, if a hacker knows that the chief financial officer of a company is OOO, thanks to the information in the auto-reply message, an attacker could impersonate the CFO on email and target another individual in the company’s finance team asking them to make a payment or update bank details for them while they are offline,” says Sadler.

Or, announcing a trip on social media could result in email or social media offers too good to be true. It could open the door to spoofed travel details from an airline or hotel from thieves looking for credentials. Because so many employees use the same credentials for business and pleasure, this can put the organization at risk of an attack.

“With 76% of people reusing passwords, hackers only need to guess one to gain access to multiple accounts,” Sadler says.

Cutting Down on Risk From Your Out of Office Message

You don’t have to stop using OOO messages. Instead, they need to be used wisely. It’s okay to suggest an alternate contact while you are unavailable or add a date when you will be back in action. Just skip the details about why you set up the out of office message. No one needs to know that your son is getting married in Paris. Remove any personal details in that message, including personal cell phone numbers or an alternate email where you can temporarily be reached.

So, skip saying you are in Las Vegas attending your favorite conference with the hopes of seeing a show or finding some time to play the slot machines. Even if other colleagues are going to the same conference, just say you will have limited email accessibility for the week and will return the message as soon as possible. Rather than an Instagram post with the view outside your window and naming the hotel as soon as you arrive, save the photos for a limited audience upon your return. Finally, consider adjusting your settings so that your out of office message is sent to contacts only.

“It’s not about removing the OOO response altogether,” says Sadler, “but instead pausing to consider what details you’re including.”

 |  |  |  | 
Sue Poremba

More from Data Protection
October 2, 2023

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

September 28, 2023

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

September 27, 2023

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

September 13, 2023

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature