Email Security: Is Your Out-of-Office Bringing Criminals In?
You’re about to embark on a business trip or drift away with the waves and a margarita or two on an overdue vacation. To let your clients, partners, colleagues, and the like know that you won’t be able to respond to their emails, you create an out-of-office message.
The typical auto-reply includes a brief explanation of why the recipient is out of the office, an approximate date of return and who the sender can alternatively contact. You may also list your chain of command and if you manage multiple departments, perhaps include the names and contact information for each division. Although this may appear innocuous to the untrained eye, those who are well-versed in information security, or simply read the latest cybersecurity headlines, would immediately cringe at the various red flags.
Let’s examine the probable scenarios that could transpire upon the auto-reply’s launch.
Physical Security Threat
Auto-replies that disclose travel details pose a physical threat as they provide criminals or intruders with the recipient’s whereabouts. Regardless of whether location is provided, one can link travel dates to a popular financial industry trade show. Criminals may gather this information from other resources, such as a company’s posts and images shared across social networks (e.g. Twitter, Facebook).
Perhaps this person is the safeguard to financial records, or a security officer at the company’s front entrance. Criminals can deduct from this message which key personal are not present onsite, exposing a gap in the hedge fund’s security posture.
Social Engineering & Email Security
Out-of-office notifications enable attackers to expand their reconnaissance of an organization. Like a domino effect, they’ve collected pieces of information to pave a pathway into your firm’s network. As their knowledge roadmap of your organization expands, so too do their odds of attaining trust from within. Hackers will attempt to convince an employee to breach normal email security procedures or trick them into downloading malicious malware, spyware or codes.
Cybercriminals can target the alternate contact provided in the automatic response for a spear-phishing campaign, which typically involves an email, IM or text message requesting you to verify information by clicking on a link or completing a form. Increasingly, this security threat is being used in the form of bank wiring scams.
So, what can your firm’s IT administrators do?
We suggest creating and implementing a security policy that specifies what information can be disclosed in out-of-office messages;
Consider setting up different replies for contacts inside and outside of your organization;
Limit automatic responses to stating that you’ll address emails upon your return; and
The golden rule of thumb: If you wouldn’t tell a room full of strangers the information, don’t include it in your out-of-office message.
Additional relevant email security resources:
Photo Credit: Eze Castle Integration