External Out-of-Office Replies
Upcoming vacation? Don't run out of your office too fast! Remember to set up your automatic replies!
What is an Automatic Reply?
Automatic replies allow employees to send a generic response to emails received during periods of unavailability. Automatic replies can also be composed to include alternate contacts to redirect users to the correct channels for assistance. When using Outlook on the web, employees can also manage their calendar during these out-of-office time periods!
Employees can send automatic replies both to fellow YSU employees and to persons external to the YSU organization. Note: It is highly recommended that you opt out of sending external automatic replies and only send to other YSU employees and students. External automatic replies will be sent to all email addresses outside of the YSU email domains.
For more information on how to set up automatic replies, refer to Outlook: Automatic Replies.
Best Practices for External Out-of-Office Replies
Best practices for automatic replies exist because threat agents rely on gaining as much information about you and YSU as possible to pinpoint a vulnerability. What information can they gain from my automatic reply? Threat agents and bad actors value all information. It is highly recommended that YSU employees opt out of sending external automatic replies and only send automatic replies to other YSU employees and students. As recommended by YSU IT Security, follow the following Do's and Don'ts if configuring automatic replies for individuals outside of YSU:
Do's:
- Keep the message simple and non-descriptive. Avoid giving too much information and details. Ask yourself, "Is this information something that I want advertised out to the world?"
- Configure automatic replies for the correct time period of unavailability. Configuring incorrect time periods of unavailability can mark you away on your calendar or confuse verified external individuals (consultants, vendors, repair technicians, product account managers, etc.) attempting to contact you.
- Discuss your expected time out-of-office with your supervisor and/or team members. Adhere to your department's time off request procedures. Ensure your team is aware of any planned time off. This will prepare your team members in the event that verified external individuals contact them regarding projects or work items you are working on.
Don'ts:
- Don't include specific dates that you are out-of-office.Threat agents can use this information to impersonate you and contact other people who are unaware of your absence.
- Don't include personal details such as why you are away from the office or where you are during your time out-of-office. Ask yourself, "Is this information something that I want advertised out to the world?". The #1 best practice for traveling away from home is to refrain from advertising that you're away while you're away. Why? Advertising that you're vacationing in Europe for May 10 - May 18 also advertises that your home is unoccupied May 10 - May 18. Threat agents can also use this information to scam other members of the YSU organization. For instance, a threat agent can spoof your email address and message another YSU email requesting money to fund travel across Europe because "you" lost your wallet.
- Don't include alternate contact information, email addresses, or phone numbers. Including other contacts to external individuals gives them more information about your department's team structure, names of other people to possibly impersonate, and names to reference when phishing other YSU employees.
Why Are These Important?
Giving too much information and external automatic replies can result in:
- confirmation to email spammers of a live mailbox to add to their spam lists.
- personal information tat can be used for social engineering (personal and professional)
- additional details about internal reporting structure or chain of command
Having such pieces of information may not seem important individually, but all together, threat agents can use these pieces to impersonate you to others member of YSU to get more organizational information or money.
IT Security's Recommended External Out-of-Office Message Template
Hello,
I am currently unavailable but am periodically reviewing my emails. There may be a delay in my response time, but I appreciate your message and will get back to you as soon as possible.
More questions or concerns about external Out-Of-Office replies? Contact the YSU Service Desk at (330) 941-1595.