Automated vacation messages are often frowned upon for several reasons, including that they can be a spam vector, that if set improperly (such as being triggered with every single email from every single person) they can actually be viewed as spam, and that they can cause legitimate email from you to end up in the spam folder.
But as if that’s not enough of a reason to not use an automated vacation message, they can also be used with a bit of social engineering to steal your identity.
How? First, never underestimate the creativity of scammers who employ social engineering. Many vacation messages give up far more information than the people setting them up would ever imagine.
Here are a couple of examples of actual vacation messages that we have received. Only the names have been changed in order to protect the innocent (and not share private email addresses).
Actual Vacation Message #1
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
From: johndoe@aaaohio.com via aaaohio.onmicrosoft.com
I am out of the office from Thu 03/31/2016 until Mon 04/04/2016.
Hello:
Sorry I missed you! I am out of the office until Monday, April 4. I will
have limited access to email. If a response is needed, I will get back to
you when I return.
Here’s an awesome video of rescue dogs to keep you company ’til then:
https://web.archive.org/web/20161228095934/http://www.longlivepets.com:80/
Thanks!
John Doe | Senior Manager, eBusiness | AAA Ohio
T: 246-555-1212 | T: 888.AAA.Ohio x7860 | M: 123-555-1234
E: johndoe@aaaohio.com | www.AAA.com
Actual Vacation Message #2
From: susan.smythe@kaplan.com
I am currently out of the office on vacation with no access to email on Thursday May 19th and Friday May 20th.
If you are a summer partner and have a roster or contract, please forward them to Amy Clark at amy.clark@kaplan.com
If you have any other immediate questions, please reach out to Joe Blow at joe.blow@kaplan.com
Otherwise I will respond to your email when I return on Monday May 23rd. Please excuse any delay in getting back to you.
If this is an emergency, please contact me on my cell phone at 800-555-1212.
Thanks,
Susan
—
Susan Smythe
Director
Kaplan Partner Solutions
800-555-1234 | susan.smythe@kaplan.com
www.kaplanpartnerships.com
Now, what these vacation message – and many other vacation messages – have in common is that they have a wealth of information embedded in them. Information that scammers can readily use, with a little bit of social engineering, to steal your identity, or the identity of those mentioned in these vacation messages.
For example a scammer may call Joe Blow at Kaplan.com, and say something like “Hey, I’m helping Susan with some research while she’s away. I know she’s not answering email, and won’t be back until the 23rd, so she told me to call you if I needed anything, and I really need this information now so I can have it ready for her,” ..and then after a little more massaging based on the information in the vacation message, comes the scammer’s ask (it could be for Susan’s mailing address so “something is waiting for her so she can hit the ground running”, it could be for a file from Susan’s computer, which will then lead to a line of questioning to get a password, etc.).
In John Doe’s case, while there is no referral to a colleague, there is enough information about John (his position, his direct phone number, his mobile number, and his email address) for a scammer to easily find one of John’s colleagues, and with the information about the dog videos in the vacation message, the scammer can readily convince John’s colleague that he’s a personal friend of John’s (“…and we both know how John has a soft spot for dogs..”), then comes the ask.
If you’re thinking to yourself “Oh c’mon, who would fall for something like that?”, well, it happens all the time.
For a fairly brilliant example, read here how Jessica Clark was able to gain access to author and journalist Kevin Roose’s mobile phone account.
Says Roose, “Jessica uses my girlfriend’s name and a fake Social Security number to set up her own personal access to my account. She even gets the support person to change my password. She just basically blocked me out of my own account.”
If you must use a vacation message (and we can think of few reasons why one “must”), then put the minimal information in it – something like “I will be slow to respond to email for the next few days.” Full stop. If it is someone who really needs something from you, they probably already know how to contact someone else in your organization.
If you have set up vacation messages in the past, thinking back, what information did you give up?
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
