Internet, Networking, & Security Around the Web The Dangers of Out-of-Office Auto-Reply Messages You never know who you're replying to Share Pin Email Print Alengo / E+ / Getty Images Around the Web Browsers Cloud Services Error Messages Home Networking 5G Antivirus VPN Web Development Around the Web View More By Andy O'Donnell Writer Andy O'Donnell, MA, is a former freelance contributor to Lifewire and a senior security engineer who is active in internet and network security. our editorial process Andy O'Donnell Updated January 31, 2020 70 70 people found this article helpful So, you're headed off on a business trip. You've got your plane tickets, hotel reservations, and everything is good to go. Only one thing left to do, it's time to set your Outlook out-of-office auto-reply message so that clients or co-workers emailing you will know how to contact you while you're away or will know who they can contact during your absence. It seems like the responsible thing to do, right? Wrong. Out-of-office auto-replies can be a huge security risk. Out-of-office replies can potentially reveal a huge amount of sensitive data about you to anyone who happens to email you while you're away. Example of a Common Out-Of-Office Reply I will be out of the office at the XYZ conference in Burlington Vermont during the week of June 1-7. If you need any help with invoice-related issues during this time, please contact my supervisor, Joe Somebody at 555-1212. If you need to reach me during my absence you can reach me on my cell at 555-1011. Bill Smith - VP of Operations - Widget CorpSmithb@widgetcorp.dom555-7252 While the message above is helpful, it may also be harmful because, in a couple of short sentences, the person in the e-mail above revealed some incredibly useful information about himself. This information could be used by criminals for social engineering attacks. The example out-of-office reply above provides an attacker with: Current Location Information Revealing your location aids attackers in knowing where you are and where you aren't. If you say you're in Vermont, then they know that you aren't at your home in Virginia. This would be a great time to rob you. If you said you were at the XYZ conference (as Bill did), then they know where to look for you. They also know that you're not in your office and that they might be able to talk their way into your office saying something like: "Bill told me to pick up the XYZ report. He said it was on his desk. Do you mind if I pop in his office and grab it." A busy secretary might just let a stranger into Bill's office if the story seems plausible. Contact Information The contact information that Bill revealed in his out-of-office reply may help scammers piece together elements needed for identity theft. They now have his e-mail address, his work and cell numbers, and his supervisor's contact info as well. When someone sends Bill a message while his auto-reply is turned on, his e-mail server will send the auto-reply back to them, which in-effect confirms Bill's e-mail address as a valid working address. Email Spammers love getting confirmation that their spam reached a real live target. Bill's address will likely now be added to other spam lists as a confirmed hit. Place of Employment, Job Title, Line of Work, and Chain of Command Your signature block often provides your job title, the name of the company you work for (which also reveals what type of work you do), your e-mail, and your phone and fax numbers. If you added "while I'm out, please contact my supervisor, Joe Somebody" then you just revealed your reporting structure and your chain of command as well. Social engineers could use this information for impersonation attack scenarios. For instance, they could call your company's HR department pretending to be your boss and say: This is Joe Somebody. Bill Smith is off on a trip and I need his Employee ID and Social Security Number so I can correct his company tax forms. Some out-of-office message setups allow you to restrict the reply so that it only goes to members of your host e-mail domain, but most people have clients and customers outside of the hosting domain so this feature won't help them. Create a Safer Out-of-Office Auto-Reply Message Instead of saying that you will be somewhere else, say that you will be "unavailable." Unavailable could mean you are still in town or in the office taking a training class. It helps keep the bad guys from knowing where you really are. Don't Provide Contact Info Don't give out phone numbers or emails. Tell them that you will be monitoring your email account should they need to contact you. Avoid Personal Information and Remove Your Signature Block Remember that complete strangers and possibly scammers and spammers may see your auto-reply. If you wouldn't normally give this signature info to strangers, don't put it in your auto-reply.