What does your 'Out of office' message say about you?

The answer – probably too much - certainly according to data protection and cyber risk specialists, including NCC group - who included this warning in their recent anti-phishing advice.

It seems good risk management to let email senders know that you are not likely to read their message for a while.  The traditional guidance was that you should set out clearly the times and dates that you would be out of the office, along with alternative contact details.

However, with a massive upshift in the number of phishing attacks, the evidence is that your out of office messages can actually provide criminals with vital additional information to assist with more convincing and targeted attacks.

Risk Management should never get in the way of pragmatic business practice, but you may wish to consider whether there are equally practical alternatives to the traditional 'all-inclusive' Out of Office message.

Out of office Risk Management Tips
  • Don't include full details of alternative contacts

  • Don't give details of when you will be back, particularly if you are away from the office for an extended period

  • Differentiate internal Out-of-office messages from external ones, if your email system allows this

  • Consider giving a colleague access rights during a period of absence

  • If you know that a particular client is likely to contact you during your absence, pro-actively contact them to advise them, if practicable

The arguments for minimising the information given in an Out of office message

An Out-of-Office response proves to a fraudster that their email has got through to a valid email address, and can provide a lot more information besides.

Do they really need to know names, email addresses and phone numbers of your assistant or your team?  Do they need to know where you are or when you will be back?

The more contact options you give, the greater chance of a successful scam.  A criminal can sound convincing when trying to persuade a colleague of yours to part with money or data especially when they know where you are how and when you will be back.  They can take advantage of knowing the names of your team and what duties they have in your absence.

They can take advantage of a long absence to engineer a scam.

Even in case of a legitimate email sent by a client, there is always the risk of a heightened expectation that you will read and respond to their email on exactly the date that you say you will on your email, when it is quite likely that you will have a considerable backlog to attend to.

Keep it simple

The answer has to be keep it simple.  Just inform the sender that you are unable to respond.  Perhaps offer a generic email address or switchboard number – information that is in the public domain.

Some people opt not to use the Out of office function.  If you do, make sure that your emails are monitored and attended to.  These days everyone assumes an email will be dealt with as soon as it is sent, unless you advise them to the contrary!

This article was provided by