Workers leaving for the Christmas holidays have been asked to check to make sure their “Out of Office” auto-replies aren't giving away valuable information. Security experts have warned that these emails could reveal more details than expected, information that cybercriminals could use to compromise corporate networks. Phishing campaigns targeting corporate or corporate accounts often seek to impersonate legitimate employees through the use of actual design and formatting features, such as email signatures, all of which can be obtained from an out-of-office autoresponder.
Out of line
The warning comes from security firm Proofpoint, which urges its customers to check that their automated responses don't provide too much information. "To make the most of your free time, a big part is having an automated attendant to let people know you're away so they don't think you're ignoring them." The problem with a detailed out-of-office response is that bad actors find out you're away and/or offline," said Mark Guntrip, Proofpoint's director of product marketing. Guntrip notes that these emails allow hackers to attempt to compromise your account, knowing the exact amount of time they have to impersonate or impersonate you before returning to the office Popular targets include outside workers who have access to or are close to sensitive data, or those who can influence in operations, such as accounting, human resources and even executives."Once in your account, there is almost no limit to the amount of damage cybercriminals can do on your behalf since employees see you as a source of trust.” They can send out malware, request personal information from colleagues (W2), or even request that funds be misdirected/invoices paid to bogus entities. " Proofpoint advises users that if this is not critical, do not trigger an out-of-office reply full of contact details, keeping the message short and to the point. Instead, the company recommends sending an email to all appropriate contacts to Inform them that you will be offline and include a note that you must verbally confirm all requests, financial wiring, payments, or sensitive data at your leisure.