Are Out-of-office Auto-reply Emails a Security Risk?

You might want to think twice before you write your next out-of-office reply message because you never know who might receive it and what they might do with the information it contains. The information you provide in your automated reply might help a criminal impersonate you, track you down, or even know the best time to rob your house. </p

Here's a typical reply I see a lot: "I will be out of the office from September 10-15th at the XYZ IT conference in Cleveland, Ohio. If you need to reach me, you can call me on my cell at 555-1212. Please contact my supervisor, John Smith, at 555-1234 for any major issues."

To a criminal, the above reply is a treasure trove of useful information. You've just given them your location, the duration of your absence, your contact information, your supervisor's location (he is obviously not at the conference with you), your chain-of-command, and your line of work (since you said you were at an IT conference). Here are some things a criminal could do with the information you provided in your out-of-office reply:

• Steal your property or harm your family. The recipient of your auto-reply now knows that you are out of town and exactly how long you will be gone. All he or she needs now is your home address and a windowless van.


• Steal your identity or impersonate you. The information in your auto-reply, such as your supervisor's name, cell number, and your location, all aid the criminal. An identity thief could use freely available search tools on the Internet to piece together the rest of the information he or she needs to assume your identity. Since you are out of town, it's apparent your boss won't easily be able to transfer a call to you. The identity thief could call your boss and use a work-related pretext or social engineering attack to gather even more sensitive information about you:

Identity Thief: "Hi, this is Bob from accounting. I need Joe's employee ID and Social Security number because of an issue with his timecard."

Joe's Boss: "Joe's out of town at a conference. Let me pull that info up for you."

The best practice is to avoid using the out-of-office auto-reply at all. Skip the auto-reply, call your important customers and family, and let them know how to reach you.  If you feel you must use an auto-reply, be extremely vague in your language. State that you will be "unavailable," which will provide uncertainty as to whether you are out of town or just in a long (local) meeting. Remove your signature block and avoid providing any personally identifying information.

Follow these useful tips so you don't return from your IT conference only to find all your belongings have been stolen.