Activating Out of Office in your work email account prior to or during the winter holidays could result in hackers trying to impersonate your account to target co-workers, clients, or vendors or to hijack your account.
According to security research firm Proofpoint, corporate workers and employees should stay on alert against unforeseen cyber threats at all times and this includes when they are away to celebrate Christmas or the New Year for an extended period.
The firm points out that cyber criminals may use the information available in your Out of Office notifications to perpetrate their malicious activities. For example, the knowledge of how long you will be away from work will give them enough time to prepare for and attempt to hijack your corporate email account.
At the same time, cyber criminals may also use other information such as contact details and designations of your co-workers who will be filling in for you during your absence, names, titles and email addresses of other members of your organisation, personal mobile numbers, and direct business phone numbers to carry out impersonation or other forms of phishing attacks.
Out of Office replies should be vague and should contain minimal information
Such being the case, Proofpoint advises that people working in corporate environments should provide minimum information in their Out of Office notifications and should draft such replies in a vague manner so that cyber criminals will not be able to figure out for how long they will be away from their workplaces.
For instance, the message "Will be out of the office attending the XYZ Conference through the end of the month. If you have a pressing matter, please contact me on my mobile number at 123-456-7890, or contact our controller, Jane Smith, at firstname.lastname@example.org or 412-555-1234, x111" can be customised in the following manner:
"I am currently out of the office. If you have a pressing matter, you can reach out to me on my mobile number or contact another member of my department via our main office number. Otherwise, I will respond to your message as soon as possible."
The security firm has also advised corporate workers to not rely on out-of-office responses to provide adequate direction to colleagues (both internal and external) they deal with most frequently. This is particularly critical if they are part of an approval chain for sensitive or business-critical activities such as authorising wire transfers or invoice payments or sharing critical information or intellectual property.
"Before you leave the office, identify the people who are most likely to contact you with time-sensitive needs while you’re away. Communicate with them about your whereabouts, emergency contact number (if necessary) and the chain of command that will be in place. Also inform them of your intentions while traveling (for example, whether you intend to regularly/occasionally check email, or if you plan to fully disconnect from work-related activities).
"As well, instruct appropriate parties to alert you—and, if needed, your IT team—to any requests related to financial transactions or sensitive data transfers while you’re away. And remember: Whether you’re traveling or not, communications and actions related to these activities should always be properly vetted, voice-to-voice, rather than handled strictly through email," Proofpoint added.
Do not activate an Out of Office reply if it is not critical to your position
Commenting on the dangers posed by cyber criminals viewing Out of Office notifications, Mark Guntrip, Director of Product Marketing at Proofpoint, said that bad actors can potentially attempt to compromise your account, knowing the exact amount of time they have to impersonate or otherwise spoof your identity before you return to the office. Targets include anyone external-facing in close proximity to sensitive data, or who can influence operations (accounting, HR, executives, etc.)
"Once inside your account, there is almost no limit to the amount of damage cybercriminals can do in your name because employees consider you a trusted source. They can send malware, solicit personal information from coworkers (W2s), or even request funds be directed improperly/invoices be paid to fake entities. For example, if you’re the CEO or CFO, an email may be sent to accounts payable purportedly coming from you saying “I’m about to get on a plane…please transfer [dollar amount] to entity X.
"If it’s not critical, do not activate an out-of-office reply. Instead send an email to all appropriate contacts letting them know you will be offline / out of town. Be sure to include a directive that you must verbally confirm any requests for financial wiring, payments, or sensitive data during your vacation.”
"If posting an out-of-office reply is critical to your position, customise the external message to be extremely vague for anyone outside of your organisation. For example, “thank you for your email, I will reply in short order,” he added.