Although it might seem like the right thing to do, it isn't always. An important security risk can come from out-of-office auto-replies. Anybody who emails you while you're out of the office could possibly learn a tone of sensitive information about you thanks to your out-of-office reply.
1. Typical Out-of-Office Response Example
During the week of June 1–7, I'll be away from work attending the XYZ conference in Burlington, Vermont. Please call my boss, Joe Somebody, at 555-1212 if you require any assistance with matters relating to invoices at this time. If you need to contact me when I'm In my absence, my cell phone number is 555-1011. Widget Corp.'s Bill Smith, VP of Operations, can be reached at 555-7252. The aforementioned statement may be beneficial to some people, but it also discloses a great deal of potentially sensitive information to others. That information can be used for social engineering assaults by criminals or hackers.
The out-of-office reply shown above gives an attacker:
2. A current location's details
By divulging your location, you make it easier for attackers to find you. They will be aware that you are not at your Virginia house if you claim to be in Vermont. It would be a good idea to rob you right now. They will know where to search for you if you indicated that you were attending the XYZ conference like Bill did. Additionally, they are aware that you are not in your workplace and that they could possibly talk their way into your workplace by utilizing language like:
"To pick up the XYZ report, Bill instructed me. On his desk, he claimed. Do you mind if I quickly take it from his office?" If the narrative seemed credible, a busy secretary might just permit a stranger inside Bill's office.
When someone writes Bill an email when his autoreply is active, Bill's email server will reply with the autoreply, confirming that Bill's email account is legitimate. Email Spammers adore learning that their spam actually reached a live recipient. Now that Bill's address has been verified, it will probably be added to additional spam lists.
4. Address, Position Title, Field of Duty, and Chain of Command
Your signature block frequently includes your job title, the name of your employer (which also indicates the nature of the work you do), your email address, as well as your phone and fax numbers. If you added "while I'm out, please call my supervisor, Joe Somebody," you simply made your chain of command and reporting system public.
This knowledge could be used by social engineers in impersonation attack situations. For instance, they might phone your employer's HR division while posing as your boss and say: Here is Joe Somebody. I need Bill Smith's Employee ID and Social Security Number so that I can update his company's tax papers while he is away on vacation. Most people have clients and customers outside of the hosting domain, so this functionality won't be helpful for them. However, certain out-of-office message arrangements allow you to restrict the reply so that it only goes to members of your host e-mail domain.
Say that you will be "unavailable" rather than that you will be somewhere else. Being unavailable could imply that you are still in the area or attending a training session at work. It makes it harder for the evil guys to find out where you really are.
6. Provide no contact information
Give no phone numbers out emails, etc. Inform them that you would be keeping an eye on your email in case they need to get in touch with you.