Actuarial Outpost
 
Go Back   Actuarial Outpost > Actuarial Discussion Forum > Software & Technology
FlashChat Actuarial Discussion Preliminary Exams CAS/SOA Exams Cyberchat Around the World Suggestions

2016 ACTUARIAL SALARY SURVEYS
Contact DW Simpson for a Personalized Salary Survey

View Poll Results: Are out-of-office auto reply's dangerous?
Yes - don't ever, ever, ever, ever, ever, ever, ever...ever use an out of office reply or you are risking the security of your identity, your life and possibly the internet! 0 0%
No - these guys are morans! 8 57.14%
A little bit of column A, a little bit of column 2 3 21.43%
42 3 21.43%
Voters: 14. You may not vote on this poll

Reply
 
Thread Tools Display Modes
  #1  
Old 05-05-2017, 04:45 PM
Kenny's Avatar
Kenny Kenny is offline
Member
Non-Actuary
 
Join Date: Jan 2003
Posts: 7,119
Default Out of office replies dangerous?

These articles are a little old, but this topic came up recently so I thought I would ask the all knowing oracle.

Is this a real threat or a bunch of jack-ass bloggers needing something to write about?

http://www.lawyersmutualnc.com/blog/...n-auto-trouble

Quote:
Originally Posted by Auto-Reply Can Mean Auto-Trouble
You’re headed off for a well-deserved vacation. All your cases are covered. All loose ends are tied up.

You start to turn off your computer – but before you do, you remember to leave an out-of-office auto-reply email message.

Smart move, right? Maybe not.

Cyber-security experts urge caution when using email auto-reply. They say it gives hackers and scammers too much personal information – and it might even open doors for them to sneak in while you’re gone.

Why Hackers Love Auto-Reply

Consider the following sample email auto-reply message:

Thank you for your contacting me. Please be advised that I will be out of the office from March 3 through March 7, attending a cyber-security conference in Concord. I will not be checking my email during this time. If this is an urgent matter, feel free to contact my assistant, Joe Wrighthand, directly at 919-354-6438 or jwrighthand@goodlaw.com.

Just by reading your auto-reply, bad guys will acquire a lot of personal information about you and your whereabouts. For instance, they now know:

You are not in the office.
You are not even in town – you are in Concord.
You will be gone through March 7.
Your assistant is Joe Wrighthand.
Your assistant has at least some authority to conduct business in your absence.
Your assistant has a direct phone line and a separate email address.
Imagine the nefarious ways a naughty person might use this information.

The most important information spammers receive from an auto-reply is proof of an active and functioning email account. Once they have this in hand, you become a target for future spam and phishing schemes. Your email address might be shared or sold on the black market.

“The best practice is to avoid using the out-of-office auto-reply at all,” advises Andy O’Donnell at Net Security. “Skip the auto-reply, call your important customers and family and let them know how to reach you. If you feel you must use an auto-reply, be extremely vague in your language. State that you will be unavailable, which will provide uncertainty as to whether you are out of town or just in a long (local) meeting. Remove your signature block and avoid providing any personally identifying information.”

Ways to Avoid Trouble

There are two principal dangers in auto-reply messaging: (1) you have no control over who sees the message, and (2) you have no control over what they do with its contents.

Here are some ways to side-step the danger:

Come up with an office policy. Make sure everyone is on the same page.
"Prepare and implement a security policy or user agreement, so users know the company policies with regard to protecting information,” says Professional Liability Matters. “The policy should note what information can be divulged in an out-of-office notification.”

Report suspicious behavior. Alert everyone in the office to potential holes in the system.

Don’t drop names unnecessarily. A thief who knows not only your name but also the name of your trusted assistant – and perhaps the name of the city, hotel and conference you are attending – can cause mischief.

Less is more. Be vague in your out-of-office message. Very vague. Leave the details for direct communications.

Use different messages. “If possible, utilize one message for internal responses and another for e-mails from out-of-office contacts,” advises one expert.

Block potential spam. Ask your IT manager to configure your account so it either blocks messages from Internet addresses or does not reply to them.
Reply only to trusted sources. Configure your account so that it only sends an auto-reply to specified clients, members of a user group or those who are on your contact list.

Remove your email signature from the auto-response. This seemingly harmless detail is packed with information that can be used by scammers.
And finally, make sure those who are in the office know how to reach you if red flags pop up while you are away. This assures immediate, direct action to deal with problems before they explode.
__________________
I am a scientist. I am sorry to disappoint you but I have never seen an elf or a troll. But who am I to exclude their existence? - Arni Bjoernsson
You are stupid and evil and do not know you are stupid and evil. ... Dumb students are educated stupid. - timecube.com
Usually while I'm reading, I'm actually thinking about...midgets riding toy horses - Roto


Reply With Quote
  #2  
Old 05-06-2017, 10:24 PM
ao fan's Avatar
ao fan ao fan is offline
Member
 
Join Date: Apr 2007
Location: hating the ao
Posts: 96,719
Blog Entries: 1
Default

why would anyone say in an auto-reply that they are at a conference or where they are other than being out of the office?

i don't say who they can contact in my absence, but even if i did, not seeing why this is dangerous. if they are attempting to contact me in the first place, it's most likely a client or coworker and basically harmless. my company also filters out emails that are potentially threatening in some way.
__________________
Be prepared to be overwhelmed by cuteness!!!!
Spoiler:
awesome, crazy, badass maltese (compliments of booger):
Spoiler:
Reply With Quote
  #3  
Old 05-06-2017, 10:55 PM
Maphisto's Sidekick's Avatar
Maphisto's Sidekick Maphisto's Sidekick is offline
Member
CAS AAA
 
Join Date: Nov 2001
Location: South Park Genetics Lab
College: Ardnox
Favorite beer: The kind with alcohol
Posts: 2,041
Default

Quote:
Originally Posted by ao fan View Post
why would anyone say in an auto-reply that they are at a conference or where they are other than being out of the office?
It's a piece of information that succinctly explains why you're out of the office and provides some implication of your availability. I might try to squeeze in a call with someone during break time at a conference, but I'll leave them alone if possible if it's a death in the family.

Quote:
Originally Posted by ao fan View Post
i don't say who they can contact in my absence, but even if i did, not seeing why this is dangerous. if they are attempting to contact me in the first place, it's most likely a client or coworker and basically harmless. my company also filters out emails that are potentially threatening in some way.
I think the concern is that you're volunteering information that could be used as ammunition by a bad guy seeking to make a social engineering attack.

In some roles, if you're going to be unplugged, the folks contacting you for immediate assistance need to know who to contact in your absence. So providing some information is likely unavoidable...but it's probably not a bad idea to minimize that exposure.

Or we could all just never unplug.
Reply With Quote
  #4  
Old 05-06-2017, 11:13 PM
ao fan's Avatar
ao fan ao fan is offline
Member
 
Join Date: Apr 2007
Location: hating the ao
Posts: 96,719
Blog Entries: 1
Default

when i'm out of the office i say i'm not reachable by email or voicemail even if i might be checking it. i lie and say i'm not cause **** you all leave me alone! others say that they are checking it sporadically. i still don't see why it requires to say where you are though. you can mention your availability without saying where you are.

yeah, i can see giving the information of someone to contact in your absence. i don't, but others do. it's usually the boss man. not seeing how them then contacting the boss man is threatening though.
__________________
Be prepared to be overwhelmed by cuteness!!!!
Spoiler:
awesome, crazy, badass maltese (compliments of booger):
Spoiler:
Reply With Quote
  #5  
Old 05-07-2017, 12:06 AM
Marcie's Avatar
Marcie Marcie is online now
Member
CAS
 
Join Date: Feb 2015
Posts: 5,722
Default

Quote:
Originally Posted by Kenny View Post
These articles are a little old, but this topic came up recently so I thought I would ask the all knowing oracle.

Is this a real threat or a bunch of jack-ass bloggers needing something to write about?

http://www.lawyersmutualnc.com/blog/...n-auto-trouble
Reply With Quote
  #6  
Old 05-08-2017, 10:31 AM
G-Funk's Avatar
G-Funk G-Funk is offline
Member
 
Join Date: Jan 2009
Posts: 1,087
Default

Quote:
Originally Posted by ao fan View Post
my company also filters out emails that are potentially threatening in some way.
Must be nice... my company sends us potentially harmful emails and makes us take a course on cyber security if we open them. If we don't open them, they send us more next week.
Reply With Quote
  #7  
Old 05-08-2017, 10:35 AM
snikelfritz's Avatar
snikelfritz snikelfritz is offline
Member
 
Join Date: Jun 2011
Location: Yep
Studying for Nope
Favorite beer: Yep
Posts: 26,924
Default

Yeah it does prove you have a real email address, but, it's necessary, otherwise people will be pissed that you ignored their emails for a week.
__________________
Buddy, our boy can become President of the USA and we can engineer it. I will get all of Putin's team to buy in on this.
Reply With Quote
  #8  
Old 05-08-2017, 10:39 AM
ao fan's Avatar
ao fan ao fan is offline
Member
 
Join Date: Apr 2007
Location: hating the ao
Posts: 96,719
Blog Entries: 1
Default

Quote:
Originally Posted by G-Funk View Post
Must be nice... my company sends us potentially harmful emails and makes us take a course on cyber security if we open them. If we don't open them, they send us more next week.
oh we have gotten fake harmful emails to trick us too. i didn't have to take a course after accidentally opening one though and it's not like a continual thing they do.
__________________
Be prepared to be overwhelmed by cuteness!!!!
Spoiler:
awesome, crazy, badass maltese (compliments of booger):
Spoiler:
Reply With Quote
  #9  
Old 05-08-2017, 11:04 AM
Jim Bob Cooter Jim Bob Cooter is offline
Member
SOA
 
Join Date: Jan 2017
Posts: 2,554
Default

I set up Outlook to only send auto replies to people in my organization. Doesn't seem dangerous to me.
Reply With Quote
  #10  
Old 05-08-2017, 11:22 AM
ao fan's Avatar
ao fan ao fan is offline
Member
 
Join Date: Apr 2007
Location: hating the ao
Posts: 96,719
Blog Entries: 1
Default

Quote:
Originally Posted by Jim Bob Cooter View Post
I set up Outlook to only send auto replies to people in my organization. Doesn't seem dangerous to me.
can't do that in consulting.
__________________
Be prepared to be overwhelmed by cuteness!!!!
Spoiler:
awesome, crazy, badass maltese (compliments of booger):
Spoiler:
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 08:38 AM.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
*PLEASE NOTE: Posts are not checked for accuracy, and do not
represent the views of the Actuarial Outpost or its sponsors.
Page generated in 0.33897 seconds with 10 queries