The hidden risk of out-of-office emails
November 18, 2021 · Return to blog
As someone who ran a relatively large weekly newsletter, I know just how often OOOs (Out of office) replies are used. In most campaigns I'd send, I'd see several hundred to thousands (if the newsletter fell on a holiday) from people on my list, people I didn't know and who didn't know me, freely giving away personal information in their auto-responders.
Without asking (or wanting, in my case), I'd receive information like:
- People's phone numbers (home, cell and office).
- Their addresses (both work and home sometimes).
- What date they'd be away, and what date they'd return.
- If they were ill, and with what illness.
- Where exactly in the world they'd be (city, specific conferences, etc.).
- Their boss' name, and their boss' contact details.
- How many children they have.
- And so much more...
All of the above information could easily be used against a person. Anything from old-school home robberies (because you've said exactly when you'll not be home and for how long), to social engineering attacks (because a person has personal details about you and your life). And, as a non-criminal, there's probably so much more that the information could be used against your life and/or your work.
Spammers, hackers and scammers (not to mention Big Tech) have worked tirelessly for years to gain details about us, so they can use that information against us. But too many of us forget that we sometimes needlessly offer up valuable details through OOO replies.
Don't offer your personal information to strangers
You wouldn't stand up in a room full of strangers and start shouting your cell phone number, address, and dates you weren't going to be in your home. If we apply this (the stranger rule) to your OOO, you shouldn't add that information to emails anyone can receive.
A problem here is that most companies (or folks who work for themselves) don't have rules or even consider the privacy risks that OOO replies can have.
It always amazed me at how much information strangers gave me and anyone else who reached out to them. This includes spammers/phishers who could potentially email them. After all, you never know who's going to be emailing you while your OOO is set to "on".
Steps to avoid OOO privacy breaches
The first thing to consider is whether or not you even need to use an OOO. Say, you're a corporate worker or freelancer who most would assume doesn't work on weekends or over holidays—you probably don't need an auto-responder. Or, if you know you'll be checking and replies to emails over a weekend or while you're away any way, you can probably skip the OOO, and no one would be the wiser about any details you'd have included in it.
Simply having an OOO turned on means spammers and scammers have now legitimized and validated that your email address exists and is active. It also provides the recipe for how email addresses at your company are setup. Ex: if your email is email@example.com and someone receives your OOO, they now know that everyone at your company probably uses a firstname.lastname@ schema for their emails, so guessing anyone else's email at your company is now much easier.
My newsletter used to be sent out on Sundays, and I was always amazed at just how many corporate workers put that they were "away" Friday evening until Monday morning. So not only is this whole thing bad for privacy, it's also setting dangerous standards for over-working and burnout (no one should assume people work 24/7 including weekends and holidays).
Perhaps an OOO makes sense in your specific case. If you're at a larger company, see if there's a way to have different messages sent to internal emails vs external ones (as more details could be made available to other employees vs strangers).
Either way, consider how the information within your OOO could be used against you (and your company.) Assume the worst type of person is receiving your auto-responder: what could they do with that information? Are you comfortable sharing specifics about where you'll be (or not be), how to get in touch, or who you work with?
OOOs can be intentionally vague, as it's just good for privacy. You could mention you'll be "unavailable" (but not where you're going or for how long). You could mention you'll just not be checking email (or not checking as often), instead of giving your phone number (I know when I'm travelling, I don't want work calls).
Make sure you leave all your personal information out of your OOO and your signature in your OOO (which can include things like phone numbers, addresses, etc).
Most of us worry about information Big Tech and others constantly gather about us while we traverse the web. But sometimes we forget that we may be offering up personal information to anyone who reaches out via email.
If you wouldn't give these details to a total stranger in a dark alley, don't include them in your auto-responder. It's just good practice for your security and digital privacy.