Out-of-office setup: what you're better off leaving out of that message

Your out-of-office message often leaks more information than you realise: who's away, for how long, and who's covering. Here's how to set it up so colleagues are helped — and fraudsters aren't.

Summer is on its way, and with it the annual flood of out-of-office emails. At first glance, harmless enough: a quick note to say you're away and who's holding the fort. But those few lines of text are a goldmine for fraudsters — and most SMBs never give it a second thought.

In this post we explain why your out-of-office message gives away more than you think, and how to write one that helps your colleagues without helping the wrong people.

Why that little message is a risk

A typical out-of-office message looks something like this:

"Dear contact, I am away from 7 July to 28 July inclusive for my summer holiday. For urgent matters, please contact my colleague Mark Jansen at mark.jansen@company.com or 06-12345678. Kind regards, Sandra de Vries — Finance Director."

What does this actually tell someone? A fraudster reads this and knows within ten seconds:

• The Finance Director is away for three weeks.
• Her stand-in is called Mark, with direct contact details.
• The email format is firstname.lastname@company.com.
• There is a window of exactly three weeks during which Sandra won't respond quickly.

For CEO fraud or invoice fraud, this is precisely the information needed. An email "on behalf of Sandra" to Mark, with urgency and a new account number — and the chance of success is significantly higher than during a normal working week.

The three types of recipients

The problem with out-of-office is that the same message goes to three very different groups:

1. Internal colleagues — they don't need an out-of-office at all; they can already see your holiday in the shared calendar.
2. Known external contacts — suppliers, clients, your accountant. These people can reasonably be told you're away and who to contact.
3. Unknown senders and spammers — anyone who has picked up your address from somewhere. They don't need to know anything.

Most mail servers (Microsoft 365, Google Workspace) can distinguish between internal and external senders. Use that feature. Set up two separate messages.

How to write a safe out-of-office message

For external senders: minimal and vague

Keep it short and avoid specific information:

"Thank you for your message. I am currently out of the office and have limited access to email. For urgent matters, please contact us at info@company.com. I will reply to your message when I return."

What we are not doing here:

• Mentioning exact dates (which reveals the attack window).
• Naming a personal stand-in.
• Sharing direct phone numbers.
• Repeating your job title (it's often already in your signature — leave it out of the auto-reply entirely).

What we do include: a general email address or phone number staffed by multiple people. No individual is put in the spotlight.

For internal senders: keep it practical

Here the message can be specific, because colleagues already know the setup:

"Hi, I'm on holiday until 28 July. Mark is covering my open files, Linda is handling payments. For a real emergency, call my mobile."

Four extra rules that make the difference

1. No payment approvals over email. Agree with your team that during the holidays of key people (management, finance), a new IBAN or urgent payment will never be processed based on an email alone. Always call back on a known number. This is a good rule year-round, but especially important in summer.

2. Turn off your signature in your auto-reply. That signature with your job title, mobile number, and LinkedIn link is included by default. Create a separate signature for your out-of-office, or switch it off altogether.

3. Limit who receives the message. In Microsoft 365 you can configure the external message to go only to people in your contacts list. Unknown senders receive nothing at all. For most SMB roles, this works perfectly well.

4. Enable 2FA — including on your stand-in's email account. If the person covering for you isn't yet using two-factor authentication, now is the time to sort that out — before you leave. A compromised inbox belonging to the stand-in is the last thing you want.

A word about your calendar and LinkedIn

Your out-of-office isn't the only place your holiday leaks. An "On holiday until 28/7" post on LinkedIn does exactly the same job for a fraudster. And if your shared calendar is visible to the outside world ("Busy" is fine, but "Holiday Italy 7–28 July" somewhat less so). Before you head off, take a moment to check who can see what.

A quick checklist before you leave

• Two auto-replies set up: brief for external, more detailed for internal.
• No exact dates, no named stand-ins, no phone numbers in the external message.
• Signature disabled in the auto-reply.
• Team knows: no IBAN changes or urgent payments based on email alone.
• 2FA on the stand-in's mailbox confirmed.
• LinkedIn and public calendar checked for too much detail.

It takes ten minutes to set this up properly — and it could save you a very unpleasant phone call from the beach.

Not sure whether your email security is in good shape for the holiday period? Take a look at our email security service (SPF/DKIM/DMARC) or start by getting 2FA set up on the right accounts.