As more people are vaccinated and free to live a more normal life again, vacation plans, trip pictures and conference hashtags will flood social media sites. Phone calls and emails to colleagues will be met with out of office (OOO) messages. You might feel happy for that person, or maybe a little jealous that they are getting away. You should also feel concerned for their security well-being.

Out of Office Message Cybersecurity for Travelers

No one thinks much about cybersecurity while traveling. However, email security company Tessian warns the out of office message actually plays right into the hands of threat actors and cybercriminals. It’s a social engineering attack vector that no one thinks about. The out of office message is ubiquitous and handy. But if it includes any personal information at all — such as attending a funeral or going out of the country — attackers have all the information they need to impersonate the person who is out of the office, without the attacker having to do any real work.

“Many people reveal details about their personal lives in an OOO — like where and when they’re traveling,” Tim Sadler, CEO of Tessian, explains in an email interview. “Whether done on social media or in an auto-reply message on email, this arms hackers with the information they need to either craft a convincing email targeted at the OOO employee or impersonate the person who is on vacation and target one of their colleagues.”

What Cyber Criminals Learn From an OOO Message

One-third of employees share information about business travel, including pictures, on social media, Tessian found. Many will also have advance leave notification in email signatures or add details about their time off in their OOO responses, such as when they plan to return to work or the details of the conference they are attending. This might appear safe because this isn’t personal travel. After all, it is a work trip, and an out of office message is no big deal.

But this absence of basic travel cybersecurity is a problem. Email is the number one threat vector for socially engineered attacks. An automatic reply message not only sends the information to designated contacts, but it also bounces back to people who send phishing emails. Threat actors use any details found in OOO messages to craft targeted social engineering messages. Well-targeted messages build trust that threat actors take advantage of.

“For example, if a hacker knows that the chief financial officer of a company is OOO, thanks to the information in the auto-reply message, an attacker could impersonate the CFO on email and target another individual in the company’s finance team asking them to make a payment or update bank details for them while they are offline,” says Sadler.

Or, announcing a trip on social media could result in email or social media offers too good to be true. It could open the door to spoofed travel details from an airline or hotel from thieves looking for credentials. Because so many employees use the same credentials for business and pleasure, this can put the organization at risk of an attack.

“With 76% of people reusing passwords, hackers only need to guess one to gain access to multiple accounts,” Sadler says.

Cutting Down on Risk From Your Out of Office Message

You don’t have to stop using OOO messages. Instead, they need to be used wisely. It’s okay to suggest an alternate contact while you are unavailable or add a date when you will be back in action. Just skip the details about why you set up the out of office message. No one needs to know that your son is getting married in Paris. Remove any personal details in that message, including personal cell phone numbers or an alternate email where you can temporarily be reached.

So, skip saying you are in Las Vegas attending your favorite conference with the hopes of seeing a show or finding some time to play the slot machines. Even if other colleagues are going to the same conference, just say you will have limited email accessibility for the week and will return the message as soon as possible. Rather than an Instagram post with the view outside your window and naming the hotel as soon as you arrive, save the photos for a limited audience upon your return. Finally, consider adjusting your settings so that your out of office message is sent to contacts only.

“It’s not about removing the OOO response altogether,” says Sadler, “but instead pausing to consider what details you’re including.”

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today