How automatic responses can be a treasure trove of social engineering

Are you going on vacation, commuting to work or leaving a project or team? No matter, the chances of you using an autoresponder in your email – or even your messengers – is great. In their defense, we all know that automatic email responses are important for clients and colleagues to know whom to contact in their absence (and do not end up interrupting their leisure to ask something).

The danger lies in two important pillars in the decision to use them: what you will write in the reply email and who will receive those emails triggered electronically. These messages may contain information such as the length of your trip, contact information of the person in your absence, and detailed instructions.

Why automatic responses can be a treasure trove of social engineering

Automatic replies appear harmless, but can become a corporate or household risk if you do not restrict the recipient list. By sending it to everyone, it will end up delivering the gold to spammers or enable targeted phishing attack.

Automatic reply lets you know that the email address is valid and belongs to a specific person, first and last name, title, and sometimes phone number. Easy targets that offer a treasure trove of social engineering data to criminals.

What is social engineering?

In the context of digital security, social engineering refers to the manipulation of people to perform actions (open infected attachments, download files, allow access) or disclose sensitive information based on data that it itself has missed. One type of intrusion that relies heavily on human interaction involves deceiving other people to break down layers of security. A classic attack of social engineering is when one person goes through another.

What can happen in the autoresponder?

Imagine that you go on vacation, letting the autoresponder be released for everyone and full of details, like the date you will return. Who should someone look up if they want to talk about “Project X” or that “Y” is under someone’s responsibility (and contacts).

It is possible that in a targeted phishing, these contacts suggested by you will receive messages from criminals going through people who work with you. Referring to an earlier discussion with the person in charge of “Project X” and sending an infected attachment. The summary is simple: the more you know, the more convincing they will be.

How to create secure automated messages?

There are no total guarantees, but you may be a little more careful when writing your automatic reply. Anyone who administers an e-mail domain can also propose some internal rules and limits that will help.

The tips are also valid for home use. After all, who ever received an email that was clearly a phishing scam, with promise of marriage, money and other absurd messages that arrive every day in our inbox?

The Kaspersky Lab advises 5 steps to prevent headaches with automatic answers: “A sensible policy on absence of messages is necessary.”

  1. Determine which collaborators really need automatic responses. If an employee handles a few clients, they can notify them directly and personally.
  2. For employees whose tasks are being covered by only one person, it makes sense to use redirects, although not always very convenient.
  3. It is recommended to create two auto-reply options – one for internal addresses (the same company) and one for external addresses. More detailed information to colleagues, while people outside the team should know as little as possible.
  4. If a collaborator matches with colleagues only, the network administrator can eliminate the idea of automatic responses to external addresses.
  5. In any case, advise on the fact that these messages should not have sensitive information. Names of product lines, customers, number of colleagues’ phones, information on where and when they will be on vacation …

How Gmail Auto Responders Work

According to Google (I get here the most popular Gmail answers), your automatic vacation response starts at midnight on the start date and ends at 11:59 pm on the end date – unless you finalize it before. In most cases, the autoresponder is only sent to people the first time they send you an email.

Who can see your automatic vacation responder more than once:

  • If the same person contacts you again after four days of the first email and the automatic vacation response is still enabled, you will see the reply again.
  • Your auto responder will zero the count whenever you edit it. If someone receives your initial vacation auto responder and sends you an email after you edit it, that person will see your new reply. Therefore, avoid editing after enabling it.
  • If you use Gmail at work, school, or business, you can choose whether the response will be sent to anyone or just to people in your organization.

Who does not receive their automatic reply:

Messages that go to the “Spam” folder and those that are sent to a list of emails that you have subscribed to do not receive automatic reply.

How to adjust your automatic responses?

  1. Open Gmail;
  2. Click “Settings” (gear icon) and “Settings” again;
  3. Scroll down to the “Vacation responder” section;
  4. Select “Vacation responder enabled”;
  5. Fill in the date range, subject and message (following the tips above); In the message, check the box if you want only your contacts (people who are part of your Google contacts) to see it. This already helps reduce access. If it is an organization, choose whether all or just colleagues receive the reply.
  6. At the bottom of the page, click “Save Changes.”

Note:

If you created a Gmail signature, it will be shown at the bottom of your auto-reply. Therefore, it is worth taking phone and other information.

Leave a Comment