Mon | Dec 14, 2020 | 3:30 AM PST

Out-of-office replies have become a staple for many of us. Whether we're traveling for business or pleasure, it's common practice to create an automatic out-of-office reply for incoming emails. But are we sacrificing security in the name of business continuity?

When crafting an out-of-office reply, it's critical to remember that some emails that arrive in your inbox will come from people you don't know—and, in some cases, cybercriminals who wish to do you harm. The details you provide could be used for malicious purposes and expose your organization to attack.

Before you write your next out-of-office, review these three tips. They can help you strike a better balance between productivity and security.

Tip #1: Share as few details as possible

When drafting an out-of-office message, consider what people truly need to know about your absence. You might not be concerned about close co-workers knowing that you'll be on vacation and out of the country for two weeks. But what if your reply would be sent to a cybercriminal trying to steal data from you or your organization?

It's best to take a "need to know" approach. Avoid sharing the following types of information in automatic replies whenever possible:

•  Direct business phone numbers for you, your boss, and other co-workers
•  Personal mobile numbers
•  Names, titles, and email addresses of other members of your organization
•  Concrete dates and details about your absence

For example, instead of this reply:

I will be out of the office attending the XYZ Conference through the end of the month. If you have a pressing matter, please contact me on my mobile number at 123-456-7890, or contact our controller, Jane Smith, at or 412-555-1234, x111.

Consider this instead:

I am currently out of the office. If you have a pressing matter, you can reach out to me on my mobile number or contact another member of my department via our main office number. Otherwise, I will respond to your message as soon as possible.

Both replies provide enough information for informed senders to act accordingly should they need to. Uninformed senders—including those emailing with unsolicited or malicious requests—will receive minimal information to act on.

Tip #2: Draft separate responses for internal and external replies

Some email tools allow you to tailor out-of-office replies based on the source of the incoming message. Take advantage of this option whenever possible. You can feel more confident about providing the name of an alternate contact or internal extension in replies that will go to people within your organization. However, you should still avoid providing any personal information, such as your or your co-workers' mobile numbers.

With external replies, tip #1 should guide your actions: Reveal as few details as possible. If you rarely (or never) have business-critical interactions with external sources, consider skipping an out-of-office reply for this audience, particularly if your absence will be brief.

Tip #3: Communicate the 'need to know' before you go

Don't rely on out-of-office responses to provide adequate direction to the colleagues (both internal and external) you deal with most frequently. This is particularly critical if you are part of an approval chain for sensitive or business-critical activities like the following:

•  Requests for, or authorizations of, wire transfers or invoice payments
•  Transmissions of regulatory, legal, tax, or personal healthcare information
•  Exchanges involving confidential data or intellectual property

Before you leave the office, identify the people who are most likely to contact you with time-sensitive needs while you're away. Tell them where you'll be, provide an emergency contact number (if necessary), and clarify the chain of command that will be in place. Also, inform them of your intentions while traveling (for example, whether you intend to regularly/occasionally check email, or if you plan to fully disconnect from work-related activities).

As well, instruct appropriate parties to alert you—and, if needed, your IT team—to any requests related to financial transactions or sensitive data transfers while you're away. And remember: Whether you're traveling or not, communications and actions related to these activities should always be properly vetted, voice-to-voice, rather than handled strictly through email.