Are Your Out-of-Office Replies Revealing Too Much?

Are Your Out-of-Office Replies Revealing Too Much?

August 08, 2019
Gretel Egan

Whether you’re traveling for business or pleasure, it’s common practice to create an automatic out-of-office reply for incoming emails. While business continuity is important, it’s critical to remember that some emails that arrive in your inbox will come from people you don’t know—and, in some cases, cybercriminals who wish to do you harm. The details you provide could be used for malicious purposes and expose your organization to attack.

Our three tips will help you to create a better balance between productivity and security.

Tip #1: Share as Few Details as Possible

When drafting your out-of-office messages, consider what people truly need to know about your absence. The reason why is simple: Anyone who finds your email address could send you a message while you’re out of the office. You might not have any issue with your close co-workers knowing that you’ll be on vacation and out of the country for two weeks. But what if your reply would be sent to a cybercriminal trying to steal data from you or your organization?

It’s best to avoid sharing the following types of information in automatic replies whenever possible:

  • Direct business phone numbers for you, your boss and other co-workers
  • Personal mobile numbers
  • Names, titles and email addresses of other members of your organization
  • Concrete dates and details about your absence

For example, instead of this reply:

I will be out of the office attending the XYZ Conference through the end of the month. If you have a pressing matter, please contact me on my mobile number at 123-456-7890, or contact our controller, Jane Smith, at jsmith@myorg.com or 412-555-1234, x111.

…consider this reply:

I am currently out of the office. If you have a pressing matter, you can reach out to me on my mobile number or contact another member of my department via our main office number. Otherwise, I will respond to your message as soon as possible.

Both replies provide enough information for informed senders to act accordingly should they need to. Uninformed senders—including those emailing with unsolicited or malicious requests—will receive minimal information to act on.

Tip #2: Draft Separate Responses for Internal and External Replies

Some email tools allow you to tailor out-of-office replies based on the source of the incoming message. Take advantage of this option whenever possible. You can feel more confident about providing the name of an alternate contact or internal extension in replies that will go to people within your organization. However, you should still avoid providing any personal information, such as your or your co-workers’ mobile numbers.

With external replies, tip #1 should guide your actions: Reveal as few details as possible. If you rarely (or never) have business-critical interactions with external sources, consider skipping an out-of-office reply for this audience, particularly if your absence will be brief.

Tip #3: Handle the “Need to Know” Before You Go

Don’t rely on out-of-office responses to provide adequate direction to the colleagues (both internal and external) you deal with most frequently. This is particularly critical if you are part of an approval chain for sensitive or business-critical activities like the following:

  • Requests for, or authorizations of, wire transfers or invoice payments
  • Transmissions of regulatory, legal, tax or personal healthcare information
  • Exchanges involving confidential data or intellectual property

Before you leave the office, identify the people who are most likely to contact you with time-sensitive needs while you’re away. Communicate with them about your whereabouts, emergency contact number (if necessary) and the chain of command that will be in place. Also inform them of your intentions while traveling (for example, whether you intend to regularly/occasionally check email, or if you plan to fully disconnect from work-related activities).

As well, instruct appropriate parties to alert you—and, if needed, your IT team—to any requests related to financial transactions or sensitive data transfers while you’re away. And remember: Whether you’re traveling or not, communications and actions related to these activities should always be properly vetted, voice-to-voice, rather than handled strictly through email.