In many companies there is a template which information should be in the absence note, in other companies it is up to each employee which text is used. Mostly, however, very similar texts are read according to the template:
„Ladies and gentlemen,
i’m not in the office from xx.xx.xxxx to yy.yy.yyyy. For urgent questions please contact my colleague Mrs. Example (E-Mail: firstname.lastname@example.org; telephone number: 01234/56789)
Why shouldn’t I set up an absence note despite all the obvious advantages?
- Such notes are a gift for potential attackers, as they provide information that can be used for criminal activities. Besides the obvious information (duration of absence, substitution including contact details), such an automatic reply also shows that the address is actually assigned. A spammer will certainly include this address in his address list for later phishing runs or even sell it.
- Such notes are a gift for potential attackers, as they provide information that can be used for criminal activities. Besides the obvious information (duration of absence, substitution including contact details), such an automatic reply also shows that the address is actually assigned. A spammer will certainly include this address in his address list for later phishing attacks or even sell it.
- In the worst case, the note of absence still contains where you are during vacation; this is of course way more helpful for an attack, as the attacker can additionally refer to this information to support the fake identity. Who else but family, friends and colleagues should know where you are on holiday.
How can I protect myself and my company and minimize the risks of a possible attack?
4 tips for handling absence notes in companies securely
- If I only communicate with my colleagues within the company, it is not necessary to set up an out-of-office notification. Internal information can be useful, especially in larger companies where you no longer know everyone personally.
- If I communicate with a few partners or customers outside my company, it is recommended that instead of setting up an out-of-office note, I send a short info mail with the necessary information or make a quick phone call. Besides minimizing the risk, this way I can still maintain my partner/customer relationships.
- If I have contact with many external partners or customers, setting up an out-of-office notification is certainly useful and helpful despite the risk. A compromise in this case could be that the Out of Office Assistant gets the setting to send an out of office message only to my contacts. However, this requires a maintained address book.
- In case of an unmaintained address book, the out of office note should only contain general information, refer to the known representative or alternatively to a general number. Example:
Dear e-mail sender:in,
Thank you for your message. I will be out of the office until 24.01.. Your message will not be forwarded and will be processed only after my return. In case of urgent questions, please contact the representative named to you or email@example.com.
This does not completely eliminate the risk of criminals being able to gather too much information about the out-of-office message too easily, but at least minimizes it and still maintains protection against social engineering attacks. It is always important to keep the topic of security awareness in mind, even for small things like an out-of-office note, in order to strengthen IT security awareness.
You want to learn more about Security Awareness? Then get in touch with us or test our free Demo for our Security Awareness Training!