IT for Donuts: how out-of-office messages can be a security threat


Date: 24 January 2014

Chairs on beach — out of office{{}}

While you're on the beach, is your email causing problems?

IT for Donuts is our regular Friday feature where we explain a tech term or answer a question about business IT.

This week: you probably use an out-of-office message to reply to emails automatically when you're away. But did you know they can be a security risk?

What's an out-of-office message?

Most email software and services will allow you to create a message that will be automatically sent to people who email you while you're away.

You can use this feature to let people know you might be slower to reply than normal, and to tell them who to contact in your absence.

See how to set up an out-of-office message in Microsoft Outlook or Google Mail.

The problem with out-of-office messages

Although out-of-office messages are certainly useful, they sometimes contain information that can be used by criminals. For instance:

  • If you're a freelancer, it's a fair bet that you work from home. So if your out-of-office message boasts that you're on holiday in Australia, criminals might deduce that your house is an easy target for burglary.
  • If your message includes a colleague's name, email or phone number, cyber-criminals can use these details in a spear phishing attack. They can email your colleague with a convincing-sounding message, to trick them into providing sensitive company data.
  • If you've created an out-of-office reply that lets people know you're away for two weeks, criminals may try to impersonate you online, knowing that you're less likely to notice someone else using your identity.

However, these scenarios don't mean you should stop using out-of-office messages entirely. Just take some precautions.

Writing safer out-of-office messages

Being selective about the information you include in your out-of-office messages is the best way to minimise the security risk:

  • Just say you're 'unable to respond to emails at the moment', instead of providing detailed information about your holiday.
  • Don't promise to reply by a certain date or say when you'll be back.
  • If possible, avoid providing a specific colleague's details. Instead, include a generic email address (like [email protected]).
  • If you feel you must offer a colleague's details, only provide one name. Don't give scammers a whole list of targets.
  • Consider setting two messages, if your email service allows this — one to be sent to colleagues, one (containing fewer details) to be sent to external contacts.

Do you bother with out-of-office messages when you're away from email?

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.