Employees who give too much information in automated email messages could in fact be leaving the back door open to crooks who can swoop in and steal sensitive data.
Most employees don’t realise that the more data you provide in an out of office message, the more susceptible you are to attacks. Sly cyber criminals can use the information you give to piece together enough material about your whereabouts and who your colleagues are to cause irreparable damage and could cost thousands of pounds.
Symantec recently commissioned YouGov to carry out a survey and found that four in ten (41 per cent) employees add a colleague’s email address to their out of office messages. And a further three in ten (31 per cent) also add a co-worker’s phone number. The information can be wholly useful for well-meaning correspondents but also for those that can use it for illegal means.
The tactic at the centre of the scam is ‘spear phishing’ or ‘targeted’ attacks in which a criminal uses details from an out of office message to build an accurate view of an individual, their role and their business. They then use this to concoct a plausible back story that convinces the individual’s colleague to hand over sensitive intellectual property.
For example, imagine being an employee receiving a call out of the blue from someone claiming to be a very annoyed customer or business partner. They say your colleague had promised a vital document before they went on holiday, but they never received it. Their story sounds plausible, perhaps even knowing where your colleague is and why – all gained from the out of office response and subsequent research. It’s easy to imagine someone quickly sending the document to keep the ‘disgruntled customer’ happy. By doing so, they may be innocently handing over vital information to a criminal.
Crafting a picture of employees by online research is known as social engineering and it’s an activity that is growing to disturbing levels. Recent figures have also shown that the number of targeted attacks increased 42 per cent in 2012, and that the average cost of a data breach to UK businesses is now £2.04m.
So what can companies do to minimize risk? It’s hugely important to be more security conscious when using out of office messages, but not necessarily to the extent that the out office messages should be eradicated entirely. Instead, firms should educate workers on the potential risks and implement policies on the content of out of office messages. In addition, email servers should be configured to ensure that out of office messages are not sent externally for those with internal focused roles.
Here are my top tips for safer out of office messages:
- Keep it short, simple and only convey necessary info;
- Try to steer clear of saying where you are going;
- Don’t include your auto signature, particularly if it includes social media details; and
- Only include the contact details of one colleague so criminals don’t have an endless list of people to pursue.
Sian John is UK and Ireland CTO for Symantec.
Share this story