Don't Let Your Out Of Office Message Become Phish Food

Written by

Holiday preparation is a big task for the majority of us; trying to squeeze that last t-shirt into your suitcase, remembering your flight details and searching the whole house to find the ‘safe place’ that you last put your passport. In contrast, writing an out of office message is stress-free for end-users and the excitement might even get the better of them. Many will write something along the lines of: 

“Hello! You’ve reached CEO James Smith. I’m on a fun cycling holiday in the French mountains with my wife and  kids from the 10th until the 15th of June! If you have an urgent message, please get in touch with Head of Accounts Payable, Sarah Jones, on 0800-PHISH-BAIT” 

Whilst the majority of people wouldn’t think twice about this message, James has unintentionally created a security risk for the organization. This email reveals plenty of sensitive information that could be used to fuel a phishing attack against his company.

A little social engineering can go a long way; by manipulating specific details within the email, a cyber-criminal can effectively prey on James’ business by either phone or email. In this scenario, Sarah Jones could receive this email from a new contact: 

"Hi Sarah, this is Sam Robins from the accounts receivable department at Acme Inc. I’ve been in contact with James Smith, and he has asked me to contact you about a wire transfer that needs to happen today to avoid interest charges. James said he's about to cycle into the French mountains with his family and may lose signal so he can’t do it himself. He wants me to work with you instead since he won't be back in the office until 15th June."

There you have it… a perfectly believable phishing email has been created from the information presented in the out-of-office message.  

When it comes to cybersecurity, the human factor needs to constantly be top of mind. Many vendors promote a “technology only” approach to cybersecurity issues, but this isn’t wholly effective. There is still a prominent viewpoint held among security and tech vendors that users are ‘unteachable’, but this is outdated and unreasonable.

The fact of the matter is that cyber-criminals are focusing their resources into targeting your users because they know that they are most likely to be the weak leak in your organization’s defense. It is our job as security professionals to accept and address this challenge by including end-users within our cyber defense strategies. There are three simple steps which security teams can keep in mind to help educate their employees.

Remind and recap 
Everyone occasionally suffers from forgetfulness; even people in positions of authority can suffer lapses due to a busy schedule or minor sickness. Unfortunately, an organization can’t afford to forget to protect itself against malware as the resulting consequences can be damaging both in terms of reputation and finance.

A report from the end of last year by Forrester Research stated that the best way to defend against phishing attacks was to “leverage all available anti-spam, anti-phishing, and web control tools on your network, and by educating, motivating, and empowering users to act as a ‘human firewall.’” 

Make sure that best cybersecurity practices are clearly communicated company-wide and are easily accessible. It is also useful to create regular reminders for users to look at cyber tips. You can also manipulate current events, such as the WannaCry attack and Equifax data breach, to justify a larger outreach.

Motivation equals dedication
Adding extra motivation when you reach out to your end-users is a very effective way of ensuring their dedication to security issues - this can be in the form of a small prize or simply praise and official recognition for their efforts.

An opportunity to earn something small, like a voucher, can ensure that an employee with a packed schedule still prioritizes training. Techniques such as quizzes, deadlines for completing cybersecurity tests, and rewards for submitting suspicious emails to security can all be utilized to engage your users.  

Positive reinforcement 
With any new initiative, there are going to be some users who struggle to pick up the knowledge. Whilst this means that they pose a greater risk to your cybersecurity defenses, do not give into the temptation to deal with these individuals with reprimands because as long as the employee is making an effort to engage, the most effective course of action is to offer extra training.

The very nature of the modern digital workplace comes with a number security risks, so ultimately businesses need to work to actively change behaviors. This might even mean that you begin cybersecurity training with your IT and cybersecurity teams and then roll out in-depth training companywide. 

However, in order to have the most effective cyber protection, user education cannot be your only defense. Human error means that an attachment on a phishing email can still be downloaded, or an out of office with too much information can be written, by a highly trained employee after a long day of back-to-back meetings. End-user training needs to be one facet of a layered approach to cybersecurity.

Fighting malware attacks effectively needs to involve flexible control over your end users’ applications, devices and admin rights. This will enable critical actions, such as patching and updating your endpoints and servers quickly and consistently, to be conducted efficiently in order to prevent cyber-criminals from exploiting vulnerabilities within your system. 

What’s hot on Infosecurity Magazine?