"Out of office" e-mail could help criminals target employees' homes

Would-be thieves can spam organizations, cross reference information from "out of office" replies to target homes of staff on vacation

The “out of office” e-mail many workers use when they’re on vacation could be making their homes a prime target for thieves.

A U.K. organization representing the corporate IT community, The Corporate IT Forum - .tif, issued the warning after evidence emerged that criminals are able to discover the personal details, and in some cases the home addresses, of staff through cross-referencing the information contained in “out of office” e-mail messages.

A potential scenario

The “out of office” function, a part of everyday life for many office workers, can be set to send automatic replies from an e-mail account saying that a person is, for example, away on holiday between certain dates.

The function is particularly popular among businesses that need to inform clients and customers of absences and ensure that enquiries are re-directed to another staff member.

The new practice involves criminals buying lists of so-called “spam” e-mail addresses, readily available over the Internet, and sending mass mailings with the intention of gaining “out of office” replies with details of vacation absences. Using online directories, such as Canada411, would-be burglars can cross-reference the information contained within the automatic e-mail replies, such as name, telephone number and business address, to find out the personal details and even the home address of the sender.

The group said people with unusual names and those living in smaller towns are at a higher risk than others since the names can be tracked down more easily. It also warned executives to think twice before putting their title in the “out of office” reply, because job titles can give a would-be burglar a good idea of a possible haul and a chief executive officer away from home or out of the country can make a tempting target.

“You wouldn’t go on holiday with a note pinned to your door saying who you were, how long you were away for and when you are coming back so why would you put this in an e-mail?” said David Roberts, chief executive of The Corporate IT Forum - .tif. “E-mail is the most popular form of office communication but many people forget that the information contained in these messages can get into the wrong hands.”

What can employees do?

•Keep messages as bland as possible. Say that you are currently “unable to deal with this query” or that you are “out of the office on business.”

•Redirect enquiries to a colleague’s business telephone number so someone else can assess the enquiry and verbally inform the caller of a period of absence.

•If you have an important sounding job title, think very carefully about whether you want to reveal your job title to a wide audience.

•Be very careful with giving away alternative contact details, only include them if the person concerned has agreed.

•Always prepare for your absence and pre-warn key contacts personally of your holiday.

What not to do

•Never say that you are away on holiday, out of the country, or that you are away from the office between certain dates.

•Never put alternative personal contact details on an “out of office” message.

•Never put home address details, home phone numbers or personal mobile phone numbers on messages.

•Never put a colleague’s personal contact details in a message.

•Never set “out of office” messages on home or personal e-mail accounts.

Latest stories