Fact Check

Auto Reply Thefts

Are thieves stealing computer lists of 'out of office' auto-replies to target homes for burglary?

Published Dec 18, 2002


Claim:   Thieves are stealing computer lists of "out of office" auto-replies to target homes for burglary.


Example:   [Collected on the Internet, 2002]

Burglars target 'out of office' emails

Thieves using 'out of office' auto-reply emails to find empty homes.

Thieves are using information contained in 'out of office' auto-reply emails and cross-referencing it with publicly available personal information to target empty houses. The warning comes from UK blue chip user group The Infrastructure Forum (Tif), which uncovered details of the scam from a meeting of its members. Criminals are buying huge lists of email addresses over the internet and sending mass-mailings in the hope of receiving 'out of office' auto-responses from workers away on holiday. By cross-reference such replies with publicly available information from online directories such as 192.com or bt.com, the burglars can often discover the name, address and telephone number of the person on holiday. Tif is advising users to warn their staff to be careful of the information they put in their 'out of office' messages.

"You wouldn't go on holiday with a note pinned to your door saying who you were, how long you were away for and when you were coming back, so why would you put this in an email?" said David Roberts, chief executive at Tif. "Email is the most popular form of office communication but many people forget that the information contained in these messages can get into the wrong hands," he added. Tif's information security group has drawn up guidelines to avoid falling victim to the practice, including keeping messages bland, redirecting enquiries to another colleague, not giving out your job title, not saying you are away on holiday and not putting personal contact details in your email.


Origins:   On 4 December 2002, the Corporate IT Forum (formerly known as The Infrastructure Forum, aka TIF) issued a press release advising caution in the use of "out of office" auto-replies. That press release has since been boiled down to the form cited as our example above and circulated in e-mail. (The Corporate IT Forum is a representative body for blue-chip information technology users in the United Kingdom, according to its web site and a number of articles in the British press which mention it.)

Although the advice offered by TIF is worthy of paying heed to (don't include the information you're leaving the country for two weeks in your auto-reply, and don't give out your home address), we've found no reason to believe the burglary situation we're being told to safeguard ourselves from is real. Articles have appeared in the British press in which TIF trumpeted its warning about "out of office" replies, but, paradoxically, we've have yet to turn up any news accounts about break-ins wherein thieves employed such methods. That something is being warned about does not mean it is happening, and there's no proof British burglars are choosing their victims by having poached information from e-mail auto replies. Moreover, there's plenty of reason to doubt burglars would be selecting their targets by the method described:

  • According to the warning, the ill-intentioned are busily matching names from "out of office" replies with addresses and phone numbers gleaned from online databases. That might prove somewhat feasible if everyone's nomenclature were unique unto only themselves, but in the real world many folks share the same first and last names. A thief who sets himself to data mining is soon going to discover that there isn't just one person who possesses the name he's searching for; there are many.
  • Someone who signs his e-mails as "Jim Smith" is just as likely to be listed in the phone book or searchable online database as "J. Smith" or "James Smith." Or his name will have been misspelled in those other forums (as we've seen, no name is too simple or straightforward to not be butchered on the hoof). Or his home information will have been recorded under his wife's, parent's or roommate's name. Matching a name with where that person lives is much less simple a process than the warning lets on.
  • Anyone who bought a list of e-addresses to spam it in hopes of harvesting "out of office" notices would quickly discover those auto-replies came in from everywhere imaginable, not just from places local to him. Is it that reasonable to assume thieves would willingly travel hundreds of miles to attempt to burgle pre-selected but as-yet-unseen residences when there are many appealing targets closer to home? Or would be winnowing through hundreds of replies to find the one or two victims who are close to where they live?
  • Just because the person who set the "out of office" reply is away doesn't mean everyone in that household is gone too. This is another badly flawed presumption of the warning, that the targeted house is now standing empty.

For the warned-against situation to be real, we'd have to assume there are gangs of burglars indulging in the tedious pursuit of preselecting their victims by matching "out of office" auto-generated replies to home addresses, then going to those domiciles on spec in the hope that everyone is absent from those residences, not just the ones who set their auto replies to "Please come burgle me." That's a lot of time and effort to throw into research that may or may not net the bad guys anything at all, and keep in mind that criminals go into that line of work because they're looking for easy money.

Even allowing for cultural differences, we have a hard time accepting British burglars are that far different from their North American counterparts. Canadian and American burglars

choose their victims by far less labor-intensive methods than building lists from disparate sources and only afterwards casing the properties in question. They drive around neighborhoods looking for homes that appear to be standing unoccupied at the moment, the ones with three days' worth of newspapers piled by their front doors and no cars in the driveway. Alternatively, they look for houses where there's no visible activity, confirm this with a quick knock on the door that goes unanswered, then park a truck in the driveway, break in and help themselves, counting on any neighbors who see them to figure the homeowners are having things moved into storage, or are sending items out to be cleaned or repaired, or have decided to donate a great many things to the poor. Except in those rare instances where specific homeowners are known to possess particular valuable items, burglary is primarily a crime of easy opportunity. If the "specific valuable item" variable is not part of the equation, then one home is as good as another to the average break-in artist. Why go to great lengths to build a list of potential targets when an equally appealing array is to be easily had for all the effort of driving through a neighborhood with one's eyes peeled?

Granted, some burglars do make a bit more effort, but there aren't that many of them, and their methods are still decidedly low-tech. Even those who scan obituaries to see who won't be home that afternoon are only using one simple tool that's easily and readily available: that day's newspaper. There's no cross-matching, no multi-step procedure of "buy list of e-mail addresses, send out fake message, harvest auto-replies, weed through them, match names to information from other databases to get home addresses" — it's "read the paper, keeping a sharp eye peeled for addresses of the deceased or mourners, then break into those houses when everybody's at the funeral." (Even when the obituaries themselves don't contain this information, surrounding news stories about deaths of local personages often do.)

It lies within the realm of possibility burglars could act in the way described in the TIF warning. But if they are, the British press is failing to make mention of their forays, both successful and unsuccessful. It's more reasonable to conclude there are no burglaries of this nature, even though worry about them is being expressed, than it is to believe the burglaries are happening but the press is missing out on them.

Barbara "robber band unmanned" Mikkelson

Last updated:   6 July 2011


    The Birmingham Post.   "Criminals Use Holiday E-Mails to Hit Homes."

    10 December 2002   (p. 21).

    The Express.   "Danger of E-Mail Replies That Invite Burglars."

    9 December 2002   (p. 20).

    McCue, Andy.   "'Out of Office' Emails Used to Tip Off Burglars."

    5 December 2002   (p. 3).

    Newswire (VNU).   "Burglars Target 'Out of Office' Emails."

    4 December 2002.

    VNU Net.   "Auto E-Mails Pose Threat."

    9 December 2002   (p. 10).