Did you know that something as simple as your out of office reply, a social media post or LinkedIn update can give an attacker all the information they need to construct believable and often hard to spot phishing emails, texts, and phone calls?
Have a look at your latest out of office reply or post on LinkedIn. Did it include:
- the dates you were on leave and contact information of a colleague or manager for urgent requests?
- information on who to contact for any issues with projects, products, or systems you use?
- information on where you're going to be (e.g. I'll be at a conference in London)?
- other information that could be used to trick someone into taking an action?
If you included any of this information with people outside of your business, you’ve shared information with people who wouldn’t usually have access to it.
How can an attack happen?
Attackers try to gain information about you through different approaches, like:
- sending a phishing email and receiving your out of office reply
- viewing your public social media profiles
- attempting to connect with you by creating a fake profile (e.g. by impersonating a recruiter or someone in your industry)
Using the information they gather, an attacker could impersonate you and contact people you work with, family or friends by:
- slightly modifying your email address (e.g. using your name but with a Gmail account instead of a business account)
- texting people in your network (e.g. by finding mobile numbers on your LinkedIn profile)
- using artificial intelligence to mimic your voice, an increasingly common attack on high profile targets or professionals in executive level positions.
For example, if an attacker finds the Chief Financial Officer (CFO) of a company is out of office, they could impersonate them and target another member of the company’s finance team, asking them to make a payment or update bank details as ‘they’re at a conference and can’t access the system at the moment’.
How can you stay safe?
Review your externally facing updates and out of office replies, and make these small changes:
- Keep details to a minimum - think carefully about the information you're providing and how it could be used to target you
- Avoid providing specific roles or names as that can lead to your colleagues receiving phishing emails in your absence
- Create different OOO replies - one for messages inside and one for outside your company
- Use public-facing contact details if they're needed e.g. customer facing numbers/email addresses instead of personal ones
- Avoid including your exact dates for leave and travel details.
What does a secure out of office reply look like?
We all want to be as helpful as possible when we set up our out of office replies, but next time you do, consider how much information the people emailing you really need.
Here’s an example of a perfectly safe and polite external out of office reply:
Thank you for your email. I'm unable to respond at the moment.
If your query is urgent, please contact our Customer Service team on [number].
Kind Regards.
Hopefully you've found this article useful and next time you switch on your out of office, or post on your social channels, you’ll remember my top tips for staying secure.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.