As more people are vaccinated and free to live a more normal life again, vacation plans, trip pictures and conference hashtags will flood social media sites. Phone calls and emails to colleagues will be met with out of office (OOO) messages. You might feel happy for that person, or maybe a little jealous that they are getting away. You should also feel concerned for their security well-being.

Out of Office Message Cybersecurity for Travelers

No one thinks much about cybersecurity while traveling. However, email security company Tessian warns the out of office message actually plays right into the hands of threat actors and cybercriminals. It’s a social engineering attack vector that no one thinks about. The out of office message is ubiquitous and handy. But if it includes any personal information at all — such as attending a funeral or going out of the country — attackers have all the information they need to impersonate the person who is out of the office, without the attacker having to do any real work.

“Many people reveal details about their personal lives in an OOO — like where and when they’re traveling,” Tim Sadler, CEO of Tessian, explains in an email interview. “Whether done on social media or in an auto-reply message on email, this arms hackers with the information they need to either craft a convincing email targeted at the OOO employee or impersonate the person who is on vacation and target one of their colleagues.”

What Cyber Criminals Learn From an OOO Message

One-third of employees share information about business travel, including pictures, on social media, Tessian found. Many will also have advance leave notification in email signatures or add details about their time off in their OOO responses, such as when they plan to return to work or the details of the conference they are attending. This might appear safe because this isn’t personal travel. After all, it is a work trip, and an out of office message is no big deal.

But this absence of basic travel cybersecurity is a problem. Email is the number one threat vector for socially engineered attacks. An automatic reply message not only sends the information to designated contacts, but it also bounces back to people who send phishing emails. Threat actors use any details found in OOO messages to craft targeted social engineering messages. Well-targeted messages build trust that threat actors take advantage of.

“For example, if a hacker knows that the chief financial officer of a company is OOO, thanks to the information in the auto-reply message, an attacker could impersonate the CFO on email and target another individual in the company’s finance team asking them to make a payment or update bank details for them while they are offline,” says Sadler.

Or, announcing a trip on social media could result in email or social media offers too good to be true. It could open the door to spoofed travel details from an airline or hotel from thieves looking for credentials. Because so many employees use the same credentials for business and pleasure, this can put the organization at risk of an attack.

“With 76% of people reusing passwords, hackers only need to guess one to gain access to multiple accounts,” Sadler says.

Cutting Down on Risk From Your Out of Office Message

You don’t have to stop using OOO messages. Instead, they need to be used wisely. It’s okay to suggest an alternate contact while you are unavailable or add a date when you will be back in action. Just skip the details about why you set up the out of office message. No one needs to know that your son is getting married in Paris. Remove any personal details in that message, including personal cell phone numbers or an alternate email where you can temporarily be reached.

So, skip saying you are in Las Vegas attending your favorite conference with the hopes of seeing a show or finding some time to play the slot machines. Even if other colleagues are going to the same conference, just say you will have limited email accessibility for the week and will return the message as soon as possible. Rather than an Instagram post with the view outside your window and naming the hotel as soon as you arrive, save the photos for a limited audience upon your return. Finally, consider adjusting your settings so that your out of office message is sent to contacts only.

“It’s not about removing the OOO response altogether,” says Sadler, “but instead pausing to consider what details you’re including.”

More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…