The e-mail absence note as a threat for IT security

An absence note can help hackers to prepare  their next phishing attack.
Who doesn't know them - e-mails from business partners with the information that the counterpart is unresponsive at the moment, frequently with the indication from when to when, and to whom one can someone turn instead. In itself a helpful tool for both sides - but is it really wise to set up such an absence note?

In many companies there is a template which information should be in the absence note, in other companies it is up to each employee which text is used. Mostly, however, very similar texts are read according to the template:

„Ladies and gentlemen,

i'm not in the office from xx.xx.xxxx to yy.yy.yyyy. For urgent questions please contact my colleague Mrs. Example (E-Mail: example@example.com; telephone number: 01234/56789)

Best regards,

Me"

Why shouldn't I set up an absence note despite all the obvious advantages?

  1. Such notes are a gift for potential attackers, as they provide information that can be used for criminal activities. Besides the obvious information (duration of absence, substitution including contact details), such an automatic reply also shows that the address is actually assigned. A spammer will certainly include this address in his address list for later phishing runs or even sell it.

  2. Such notes are a gift for potential attackers, as they provide information that can be used for criminal activities. Besides the obvious information (duration of absence, substitution including contact details), such an automatic reply also shows that the address is actually assigned. A spammer will certainly include this address in his address list for later phishing attacks or even sell it.

  3. In the worst case, the note of absence still contains where you are during vacation; this is of course way more helpfull for an attack, as the attacker can additionally refer to this information to support the fake identity. Who else but family, friends and colleagues should know where you are on holiday.

How can I protect myself and my company and minimize the risks of a possible attack?

4 tips for handling absence notes in companies securely

  1. If I only communicate with my colleagues within the company, it is not necessary to set up an absence note outside of the company. Internal information can be particularly useful in larger companies where you no longer know everyone personally.

  2. If I communicate with a few partners or customers outside my company, it is recommended that instead of setting up an out of office note, sending a short mail with the necessary information or makeing a short phone call. In addition to minimizing the risk, this also allows me to maintain my partner/customer relationships.

  3. If I have contact to many external partners or customers, setting up an absence note is certainly useful and helpful despite the risk. A compromise could be in this case that the out of office assistant receives the setting to send an out of office note only to my contacts. However, this requires a properly maintained address book.

  4. If you are absent for a longer period of time, it is best, if possible, to work with automatic forwarding of your emails to the substitute colleague or with mailbox authorizations.

Thus the risk that criminals can too easily gather too much information about the absence note is not completely eliminated, but at least minimized and the protection against social engineering attacks is still maintained. 

It is always important to keep the topic of security awareness in mind, even with small things like an absence note, in order to strengthen IT security awareness.