As more people are vaccinated and free to live a more normal life again, vacation plans, trip pictures and conference hashtags will flood social media sites. Phone calls and emails to colleagues will be met with out of office (OOO) messages. You might feel happy for that person, or maybe a little jealous that they are getting away. You should also feel concerned for their security well-being.

Out of Office Message Cybersecurity for Travelers

No one thinks much about cybersecurity while traveling. However, email security company Tessian warns the out of office message actually plays right into the hands of threat actors and cybercriminals. It’s a social engineering attack vector that no one thinks about. The out of office message is ubiquitous and handy. But if it includes any personal information at all — such as attending a funeral or going out of the country — attackers have all the information they need to impersonate the person who is out of the office, without the attacker having to do any real work.

“Many people reveal details about their personal lives in an OOO — like where and when they’re traveling,” Tim Sadler, CEO of Tessian, explains in an email interview. “Whether done on social media or in an auto-reply message on email, this arms hackers with the information they need to either craft a convincing email targeted at the OOO employee or impersonate the person who is on vacation and target one of their colleagues.”

What Cyber Criminals Learn From an OOO Message

One-third of employees share information about business travel, including pictures, on social media, Tessian found. Many will also have advance leave notification in email signatures or add details about their time off in their OOO responses, such as when they plan to return to work or the details of the conference they are attending. This might appear safe because this isn’t personal travel. After all, it is a work trip, and an out of office message is no big deal.

But this absence of basic travel cybersecurity is a problem. Email is the number one threat vector for socially engineered attacks. An automatic reply message not only sends the information to designated contacts, but it also bounces back to people who send phishing emails. Threat actors use any details found in OOO messages to craft targeted social engineering messages. Well-targeted messages build trust that threat actors take advantage of.

“For example, if a hacker knows that the chief financial officer of a company is OOO, thanks to the information in the auto-reply message, an attacker could impersonate the CFO on email and target another individual in the company’s finance team asking them to make a payment or update bank details for them while they are offline,” says Sadler.

Or, announcing a trip on social media could result in email or social media offers too good to be true. It could open the door to spoofed travel details from an airline or hotel from thieves looking for credentials. Because so many employees use the same credentials for business and pleasure, this can put the organization at risk of an attack.

“With 76% of people reusing passwords, hackers only need to guess one to gain access to multiple accounts,” Sadler says.

Cutting Down on Risk From Your Out of Office Message

You don’t have to stop using OOO messages. Instead, they need to be used wisely. It’s okay to suggest an alternate contact while you are unavailable or add a date when you will be back in action. Just skip the details about why you set up the out of office message. No one needs to know that your son is getting married in Paris. Remove any personal details in that message, including personal cell phone numbers or an alternate email where you can temporarily be reached.

So, skip saying you are in Las Vegas attending your favorite conference with the hopes of seeing a show or finding some time to play the slot machines. Even if other colleagues are going to the same conference, just say you will have limited email accessibility for the week and will return the message as soon as possible. Rather than an Instagram post with the view outside your window and naming the hotel as soon as you arrive, save the photos for a limited audience upon your return. Finally, consider adjusting your settings so that your out of office message is sent to contacts only.

“It’s not about removing the OOO response altogether,” says Sadler, “but instead pausing to consider what details you’re including.”

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

2 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors.The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In this…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today