Introduction
Have you ever sent an email to someone and received an “Out of Office” notification that looks like this:
Thank you for your email. I am currently vacationing with my sister in Playa de Carmen until May 19th. If you need help, please call Bob Smith in Business Development or Nancy Andrews in Human Resources.
Sincerely,
Tammy
What do you notice here? Other than the fact that this person is likely enjoying themselves on a beach, this reply is way too specific and provides all the right avenues for a criminal to use. You may not quite see it yet, so let’s delve into this from the mindset of an attacker.
Scenario
An attacker gets the above reply to a phishing attempt they have sent. If they have strong English-speaking skills, they may then find a phone number for this company and call Bob Smith (the name mentioned in the email) to start a conversation. Here is how it could happen:
Bob: “Hello, this is Bob Smith. How may I help you?”
Criminal: “Yes, Bob, this is Tim with ABC Company. I had been working with Tammy before she left with her sister to Playa de Carmen. There is a file I need to have reviewed and Nancy in HR was unable to help me. Could you assist me?”
What this criminal has just done is a form of social engineering; he is trying to build a rapport with the victim, Bob. If a company has not stayed current on security awareness training, Bob could fall victim to this trick and accept a file from the attacker. Depending on the motives of the attacker, several bad things could happen at this point.
Protecting Your Information and Company
When formulating an “Out of Office” reply, here are some suggestions:
- Keep your escalations nonspecific. Instead of saying “Call Bob for help”, try “Call Business Development”.
- Never disclose your whereabouts or reason for being out of office. This can create additional risks to your physical security in addition to cyber security.
- If your email system allows it, use a less specific reply for external senders to avoid the scenario above. An internal reply can detail the exact person(s) to call if needed.
When you are preparing for your well-deserved time off, remember these steps to help make your business (and yourself) less of a target. For additional security awareness training and scenario-based tabletop exercises, reach out to Secure Point Solutions.