Blog
← Back to Blog
June 20, 2016 cybersecurity

Summer Security: Why Hackers Love Your Out-of-Office Reply

Summer beach scene representing vacation season

It's June. Vacation season is here. Your staff is rotating through time off, the office is running with a skeleton crew, and auto-reply messages are broadcasting exactly who's gone and when they'll be back.

For cybercriminals, this is prime time.

Why Summer Is Risky

Reduced Staff Means Reduced Vigilance

When you're running short-staffed, people are busier. Busier people are more likely to click without thinking, approve requests without verifying, and skip security procedures because there's nobody around to handle the extra step.

Out-of-Office Replies Are Intel

Your out-of-office message is helpful for colleagues and clients. It's also helpful for attackers. "I'll be out of the office June 20-30. For immediate needs, contact Sarah at sarah@yourpractice.com." Now the attacker knows: you're gone, Sarah is covering for you, and Sarah is probably overwhelmed with extra responsibilities.

The attacker sends Sarah an urgent email that appears to come from you: "Sarah, I need you to process this invoice while I'm out. It's time-sensitive." Sarah, trying to be responsive and keep things running, processes it.

Temps and Coverage Staff

If you bring in temporary staff or have someone covering a role they don't usually handle, they may not know your security procedures. They might not recognize a suspicious email because they don't know your normal communication patterns. They might not know that wire transfer requests always require verbal confirmation.

Summer Security Checklist

Fix Your Out-of-Office Replies

Keep them minimal. "I'm out of the office and will respond when I return." That's sufficient for external contacts. Don't include:

  • Specific dates you'll be gone
  • Who is covering for you
  • Their direct email or phone number
  • Details about where you're traveling

For internal contacts, you can be more specific. But external auto-replies should reveal as little as possible.

Brief Your Coverage Team

Before you leave, sit down with whoever is covering your responsibilities. Walk them through:

  • What types of requests are normal and what should raise a red flag
  • The verification procedure for financial requests
  • Who to contact if something seems suspicious
  • What to do if they think they've clicked on something malicious

Lock Down Before You Go

  • Update all software and apply security patches before vacation
  • Verify backups are running and current
  • Review and disable any temporary access that's no longer needed
  • If you have monitoring alerts, make sure they're going to someone who will be in the office

Secure Your Travel Devices

If you're taking a laptop or accessing work email from a personal device while traveling:

  • Use a VPN when connecting to hotel or airport Wi-Fi
  • Don't access banking or sensitive systems from public networks
  • Enable full disk encryption on travel devices
  • Don't leave devices unattended in hotel rooms (use the safe or take them with you)

Summer should be relaxing. A little preparation keeps it that way. Don't let a preventable security incident ruin your vacation or your practice's summer.