It seems like the responsible thing to do, but it isn’t, necessarily. Out-of-office auto-replies can be a major security risk. Out-of-office replies can potentially reveal a huge amount of sensitive data about you to anyone who happens to email you while you’re away.

Example of a Common Out-Of-Office Reply

While the above message may be helpful to some, it reveals a wealth of potentially sensitive information to others. Criminals or hackers can use that data for social engineering attacks. The example out-of-office reply above provides an attacker with:

Current Location Information

Revealing your location aids attackers in knowing where you are. If you say you’re in Vermont, then they know that you aren’t at your home in Virginia. This would be a great time to rob you. If you said you were at the XYZ conference (as Bill did), then they know where to look for you. They also know that you’re not in your office and that they might be able to talk their way into your office saying something like:

Contact Information

The contact information that Bill revealed may help scammers piece together elements needed for identity theft. They now have his e-mail address, his work and cell numbers, and his supervisor’s contact info as well. When someone sends Bill a message while his auto-reply is turned on, his e-mail server will send the auto-reply back to them, which confirms Bill’s e-mail address as valid. Email Spammers love getting confirmation that their spam reached a live target. Bill’s address will likely now be added to other spam lists as a confirmed hit.

Place of Employment, Job Title, Line of Work, and Chain of Command

Your signature block often provides your job title, the name of the company you work for (which also reveals what type of work you do), your e-mail, and your phone and fax numbers. If you added “while I’m out, please contact my supervisor, Joe Somebody” then you just revealed your reporting structure and your chain of command as well. Social engineers could use this information for impersonation attack scenarios. For instance, they could call your company’s HR department pretending to be your boss and say: Some out-of-office message setups allow you to restrict the reply so that it only goes to members of your host e-mail domain, but most people have clients and customers outside of the hosting domain so this feature won’t help them.

Create a Safer Out-of-Office Auto-Reply Message

Instead of saying that you will be somewhere else, say that you will be “unavailable.” Unavailable could mean you are still in town or in the office taking a training class. It helps keep the bad guys from knowing where you really are.

Don’t Provide Contact Info

Don’t give out phone numbers or emails. Tell them that you will be monitoring your email account should they need to contact you.

Avoid Personal Information and Remove Your Signature Block

Remember that complete strangers and possibly scammers and spammers may see your auto-reply. If you wouldn’t normally give this signature info to strangers, don’t put it in your auto-reply.