Example: [Collected on the Internet, 2002]
Thieves using 'out of office' auto-reply emails to find empty homes.
Thieves are using information contained in 'out of office' auto-reply emails and cross-referencing it with publicly available personal information to target empty houses. The warning comes from UK blue chip user group The Infrastructure Forum (Tif), which uncovered details of the scam from a meeting of its members. Criminals are buying huge lists of email addresses over the internet and sending mass-mailings in the hope of receiving 'out of office' auto-responses from workers away on holiday. By cross-reference such replies with publicly available information from online directories such as 192.com or bt.com, the burglars can often discover the name, address and telephone number of the person on holiday. Tif is advising users to warn their staff to be careful of the information they put in their 'out of office' messages.
"You wouldn't go on holiday with a note pinned to your door saying who you were, how long you were away for and when you were coming back, so why would you put this in an email?" said David Roberts, chief executive at Tif. "Email is the most popular form of office communication but many people forget that the information contained in these messages can get into the wrong hands," he added. Tif's information security group has drawn up guidelines to avoid falling victim to the practice, including keeping messages bland, redirecting enquiries to another colleague, not giving out your job title, not saying you are away on holiday and not putting personal contact details in your email.
Origins: On 4 December 2002, the Corporate IT Forum (formerly known as The Infrastructure Forum, aka TIF) issued a press release advising caution in the use of "out of office" auto-replies. That press release has since been boiled down to the form cited as our example above and circulated in
Although the advice offered by TIF is worthy of paying heed to (don't include the information you're leaving the country for two weeks in your auto-reply, and don't give out your home address), we've found no reason to believe the burglary situation we're being told to safeguard ourselves from is real. Articles have appeared in the British press in which TIF trumpeted its warning about "out of office" replies, but, paradoxically, we've have yet to turn up any news accounts about
- According to the warning, the ill-intentioned are busily matching names from "out of office" replies with addresses and phone numbers gleaned from online databases. That might prove somewhat feasible if everyone's nomenclature were unique unto only themselves, but in the real world many folks share the same first and last names. A thief who sets himself to data mining is soon going to discover that there isn't just one person who possesses the name he's searching for; there are many.
- Someone who signs his
e-mailsas "Jim Smith" is just as likely to be listed in the phone book or searchable online database as "J. Smith" or "James Smith." Or his name will have been misspelled in those other forums (as we've seen, no name is too simple or straightforward to not be butchered on the hoof). Or his home information will have been recorded under his wife's, parent's or roommate's name. Matching a name with where that person lives is much less simple a process than the warning lets on.
- Anyone who bought a list of
e-addressesto spam it in hopes of harvesting "out of office" notices would quickly discover those auto-replies came in from everywhere imaginable, not just from places local to him. Is it that reasonable to assume thieves would willingly travel hundreds of miles to attempt to burgle pre-selectedbut as-yet-unseen residences when there are many appealing targets closer to home? Or would be winnowing through hundreds of replies to find the one or two victims who are close to where they live?
- Just because the person who set the "out of office" reply is away doesn't mean everyone in that household is gone too. This is another badly flawed presumption of the warning, that the targeted house is now standing empty.
Even allowing for cultural differences, we have a hard time accepting British burglars are that far different from their North American counterparts. Canadian and American burglars
Granted, some burglars do make a bit more effort, but there aren't that many of them, and their methods are still decidedly
It lies within the realm of possibility burglars could act in the way described in the TIF warning. But if they are, the British press is failing to make mention of their forays, both successful and unsuccessful. It's more reasonable to conclude there are no burglaries of this nature, even though worry about them is being expressed, than it is to believe the burglaries are happening but the press is missing out on them.
Barbara "robber band unmanned" Mikkelson
Last updated: 6 July 2011
The Birmingham Post. "Criminals Use Holiday E-Mails to Hit Homes." 10 December 2002 (p. 21). The Express. "Danger of E-Mail Replies That Invite Burglars." 9 December 2002 (p. 20). McCue, Andy. "'Out of Office' Emails Used to Tip Off Burglars." 5 December 2002 (p. 3). Newswire (VNU). "Burglars Target 'Out of Office' Emails." 4 December 2002. VNU Net. "Auto E-Mails Pose Threat." 9 December 2002 (p. 10).