The Risks of Auto-Reply Messages

One of the consequences of modern technological advances is that many expect 24/7 access to their employees and outside professionals.  Today there is really no such thing as unreachable and there are fewer and fewer locales that are “off the grid.” 48 hours without responding to e-mail is not acceptable to some. As a result, when business travel, vacation, or other events preclude timely e-mail responses, many employees and professionals utilize the all-too-familiar auto-reply message. However, some experts suggest that these messages carry considerable security risks.

Thank you for your message. I am away from the office from June 8-12, attending an ABC risk management seminar in Phoenix, Arizona. I will have limited access to e-mail but will return your message at my earliest opportunity. You are free to contact my assistant, Pat Johnson at 867-5309.

 Joe Professional, VP of Operations, [email protected]; 555-1234.

Have you considered how much valuable information a resourceful thief can access through the foregoing away message?  Arguably, a common away message like this provides a would-be attacker with plenty to work with, such as:

Current location information: Where you are, also discloses where you are not; i.e. not at your desk or your home leaving these areas vulnerable to break-in.  Moreover, a smooth-talking thief could convince one of your colleagues that you instructed them to obtain sensitive data. For example: “I just met Joe Professional at the ABC risk management conference and he said that you would be happy to provide me with the Smith report.” This tactic, known as “spear phishing,” is causing IT professionals nightmares.

Contact information: Experts warn that e-mail spammers love confirmation that their targets employ a functioning e-mail address. An auto-response e-mail provides spammers with the proof that the e-mail is active.

The good news is that there are relatively simple ways to protect yourself. Consider the following tips:

  • Experts suggest that less is more when it comes to away-messages. Intentional vagueness is ok.
  • If possible, utilize one message for internal responses and another for e-mails from out-of-office contacts.
  • Configure the account so it does not reply to Internet addresses.
  • Prepare and implement a security policy or user agreement, so users know the company policies with regard to protecting information.  The policy should note what information can be divulged in an “out of office” notification. 
  • Provide alternative contact details, but make sure your designee is fully briefed regarding your absence so they do not give information to unidentified callers.

Leave a Reply

4 Comments

  1. SORRY. I WILL BE OUT OF THE OFFICE TODAY FROM NOOON TO ONE AT FREEMAN’S JEWELERS AT 8TH AND CHESTNUT LOOKING FOR A 3 CARET RING SINCE I HAVE TONS OF CASH IN THE SIDE POCKET OF MY RED JACKET WITH YELLOW STRIPES DOWN THE FRONT. IF YOU NEED ASSISTANCE JUST CALL MY OFFICE AND TELL DEBBIE THAT I SAID TO GIVE YOU WHATEVER YOU NEED.
    Seriously, excellent advice on a topic I never gave much thought to. We will follow up on the internet reply guard with our IT rep. it is only February and this blog has already given me WAY too many things to worry about.

  2. Great advice which is equally applicable to telephone voice mail messages. For just these reasons, I seldom use auto replies – – especailly when I am traveling and my wife is home alone. I’m sharing with my firm’s IT folks as well.

  3. Dan vander Ploeg

    If you are entrusting everything to your assistant why not just set up e-mail forwarding to the assistant? Then the sender would not have to know you were gone until contacted by the the assistant.

  4. Pingback: Use Outlook’s Auto Reply without Attracting Spammers and Crooks

Next ArticleDouble Covered but Uninsured