The Risks of Auto-Reply Messages

One of the consequences of modern technological advances is that many expect 24/7 access to their employees and outside professionals.  Today there is really no such thing as unreachable and there are fewer and fewer locales that are “off the grid.” 48 hours without responding to e-mail is not acceptable to some. As a result, when business travel, vacation, or other events preclude timely e-mail responses, many employees and professionals utilize the all-too-familiar auto-reply message. However, some experts suggest that these messages carry considerable security risks.

Thank you for your message. I am away from the office from June 8-12, attending an ABC risk management seminar in Phoenix, Arizona. I will have limited access to e-mail but will return your message at my earliest opportunity. You are free to contact my assistant, Pat Johnson at 867-5309.

 Joe Professional, VP of Operations, [email protected]; 555-1234.

Have you considered how much valuable information a resourceful thief can access through the foregoing away message?  Arguably, a common away message like this provides a would-be attacker with plenty to work with, such as:

Current location information: Where you are, also discloses where you are not; i.e. not at your desk or your home leaving these areas vulnerable to break-in.  Moreover, a smooth-talking thief could convince one of your colleagues that you instructed them to obtain sensitive data. For example: “I just met Joe Professional at the ABC risk management conference and he said that you would be happy to provide me with the Smith report.” This tactic, known as “spear phishing,” is causing IT professionals nightmares.

Contact information: Experts warn that e-mail spammers love confirmation that their targets employ a functioning e-mail address. An auto-response e-mail provides spammers with the proof that the e-mail is active.

The good news is that there are relatively simple ways to protect yourself. Consider the following tips:

  • Experts suggest that less is more when it comes to away-messages. Intentional vagueness is ok.
  • If possible, utilize one message for internal responses and another for e-mails from out-of-office contacts.
  • Configure the account so it does not reply to Internet addresses.
  • Prepare and implement a security policy or user agreement, so users know the company policies with regard to protecting information.  The policy should note what information can be divulged in an “out of office” notification. 
  • Provide alternative contact details, but make sure your designee is fully briefed regarding your absence so they do not give information to unidentified callers.