Out-of-office auto-responder messages can be a security risk, leading to spear phishing and business email compromise attacks.
Gone Phishing: When Vacation Alerts Put Your Organization at Risk
Can a detailed out-of-office message (OOO) pose a security risk for your organization? A friend of mine recently told me a story of how one of their coworkers received a fake email from their “manager” that requested they purchase gift cards for an upcoming event. They were asked to scratch off numbers on the back and email it to them. It wasn’t until they sent off the email with the gift card numbers that the individual realized something was suspicious. This was a business email compromise (BEC) attack. But how did the hackers know who this person’s manager was?
How often have you set an OOO message using a vacation auto responder? Usually this message includes a backup contact, typically your manager, to contact in case of urgent issues. And this message goes out via email to everyone who emails you, including spammers. So the OOO message effectively broadcasts your information to the world.
My friend was frustrated that none of their security infrastructure, applications and mandatory training were enough to help prevent this. The next option they were going to explore was stricter policies on what information can be included in the OOO message or disabling them entirely. This got me thinking, am I putting my company at risk with my OOO message?
Let’s start off with a little quiz. Rank the following three out-of-office messages in order of preference:
If your first preference was Yellow, then you put a lot of thought into your OOO message for it to stand out and leave an impression on your readers. This is a growing trend with many articles written over the last several years about the importance of writing great OOO messages to help deepen relationships. So much so that if you start typing “best out” in Google search, three of the top ten results are about how to write good OOO messages, including the first two spots.
If your first preference was Blue, then you are probably copying and pasting your previous OOO message (or one from a colleague), and quickly changing the dates as you board your flight to Bora Bora.
If your first preference was Purple, then you may work in IT or cybersecurity, and seeing an OOO message like this go out of your organization gives you the same joy as watching the Cubs win the World Series in Game 7 in 2016 (no offense to all the Dodgers fans out there).
Like most people, I defaulted to the Blue style message, but after learning a thing or two about cybersecurity, I now follow the Purple style and put the least amount of detail possible in my OOO emails. Although, I will admit I almost used the Yellow style once, for my highly anticipated trip to Antarctica, but conservatism got the best of me and I fell back to my standard Blue style message.
Gold Mine for Social Engineering Attacks
OOO messages help your teams and clients stay informed during your absence, but are also a gold mine for those making a living off socially engineered email attacks.
According to the FBI IC3 report, companies and organizations in the United States lost $12b in the past five years to BECs. This is a growing and material threat to organizations with real money at stake. With 98% of all attacks starting via email, it is vital that people are not providing information that help make these attacks easier or more sophisticated.
Security Risks from Auto-responder Messages
Here are some of the ways detailed OOO messages can leak information.
- An auto-reply to any email received provides a validation to the sender that they have a legitimate email address. Based on this, they can recreate email addresses for other members of your organization.
- Most OOO messages include details of whom to reach out to during the absence, typically the manager or another team member. This provides context for social engineering attacks.
- Including the duration of your absence gives the attackers an idea of how much time they have to execute a more sophisticated attack.
- As excited as you are about soaking up the sun during your island vacation, revealing your whereabouts gives attackers information to impersonate you in emails to your colleagues to extract information.
- Email signatures include information about your title, team and phone number, which also gives attackers information to impersonate you in emails to your team, or to orchestrate more sophisticated attacks.
- If you do not work with external clients or vendors, change your settings to only auto reply internally within your organization.
- If you do need an external OOO message, set up two separate messages if your email provider allows. One for internal and second for external that has the least amount of details as possible.
- Don’t include the duration of your absence in the auto-reply message. It is best to communicate that directly to your teams/clients/vendors if you will be gone for more than a few days in an email in advance of your departure.
- Don’t include backup contact in the auto-reply message. If it is necessary to include backup contact, don’t include management hierarchy information or details of team member’s roles.
- Don’t include information about your destination or activities. Only share need-to-know information.
- Remove your email signature from your auto-reply.
While a detailed OOO message helps your teams and clients continue to operate smoothly in your absence, it is not worth the risk of exposing your organization to a compromise.
You can use alternative ways to signal your absence, such as blocking off your calendar, or changing your status on your messenger app, or sending an email with the necessary details prior to your departure. If you have clients and other external parties who frequently email you, keep your OOO message short and brief, and share the exciting details of your travels directly.
Security Needs Understanding
Despite all of these precautions, cybersecurity is only as strong as the weakest link. It only takes one unwitting individual to click on a phishing link or to initiate a fraudulent payment to cause harm. It is very difficult to achieve 100% compliance despite the increase in awareness training. Traditional cybersecurity tools rely on technical controls and metadata analysis, and cannot outwit sophisticated social engineering attacks. However, this is an area where the latest advances in deep learning and Natural Language Understanding (NLU) hold a lot of promise. What if your cybersecurity solution could understand your communication and warn you about malicious emails?
You already use NLU at home; it is the same technology that powers voice assistants like Alexa, Siri, and Google. What if it could help protect your organization against cyber attacks? If you’re interested in seeing the power of NLU in detecting attacks that other solutions miss, and to save you time and optimize your security posture, request a demo of Armorblox.