Email Signatures and Out-of-office Replies Can Act As Attack Vectors

Organizations must educate and train their employees against sharing unnecessary information to minimize exposure to threats

New Update
Email Signatures

It's a common practice to include a lot of details in our email signatures. Often, we include the complete office address, phone number with the extension, mobile numbers, company website, Twitter and LinkedIn profiles, and a host of other information in our email signatures. Little do we realize that these details are generally of no use to the recipient of the email, but of immense use to cyber criminals.


Provide cyber criminals with a wealth of verified data

These pieces of information provide cyber criminals with verified data that is used for a number of attacks, especially phishing attacks. Building on these vital pieces of information, cyber criminals can decipher the format used for email IDs of other employees, which can be used for business email compromise (BEC).

Access to the social media handles provides cyber criminals with unhindered access not just to our profiles but also to the people in our networks, exposing them to a potential threat and online abuse. Cyber criminals can steal profile pictures and use them to create fake accounts, which often serve as the origination point for many scams. For instance, they can use social engineering to fool you into sending money on the pretext of some emergency. You, being a friend or an acquaintance, may send out money to help your ‘friend' in distress, only to realize later that you have been scammed.


Similarly, out-of-office messages, too, provide impostors with a wealth of information. Consider a common out-of-office reply that goes something like this “Hi! Thank you for your email. I am currently traveling on a personal trip to Singapore and will have limited access to my emails. In case you need help with Project 1, please contact Name1, PhoneNumber1, and emailID1, for Project 2, please contact Name2, PhoneNumber2, and emailID2. Thank you.”

This out-of-office reply has a wealth of information for a cyber criminal. He not only gets to know your current location, but also the projects that you are working on and the people who are working with you. He also gets verified contact details of your co-workers who are now vulnerable to many types of scams. For instance, a cyber criminal may reach out to your colleagues by email or phone and trick them into eliciting sensitive official information. Or, fool them into sharing personal details on the pretext that you recommended their names and provided contact details for, say, an attractive trip to Singapore (remember you mentioned that in your out-of-office reply!) and then ask them to pay for a fake trip! These are just a couple of the many possible ways cyber criminals can scam people.

Using these bits of information, they can gain access to the business network and abuse business resources. This may include stealing confidential data, planting malware or ransomware, and so on.


Educate and train employees about the possible risks

An innocuous-looking email signature or an out-of-office reply can be the cause of colossal damage to a business. Therefore, it is essential that organizations take cognizance of the information being shared through these means. Apart from educating their employees on the imminent risks, organizations must consider using a standard format for email signatures and out-of-office replies that reveal minimum information such that the exposure to risks can be minimized.

The article has been written by Neetu Katyal, Content and Marketing Consultant

She can be reached on LinkedIn.