Visit page
Press "Enter" to skip to content

You are out of office. Who’s watching your inbox?

October 13, 2025
A graphic with a light blue, geometric background featuring the NCRA logo on the left and the Cybersecurity Awareness Month logo on the right. The NCRA logo consists of a yellow and dark blue design with 'NCRA' in bold white letters. The Cybersecurity Awareness Month logo includes a blue shield icon above the text 'CYBERSECURITY AWARENESS MONTH' in dark blue letters.

We are continuing our Cybersecurity Awareness Month series with a look at a vulnerability most of us probably don’t think about. Out-of-office (OOO) email replies, designed to let people know what to expect while you’re away from work, have unfortunately become an unexpected avenue of cybercrime. OOO phishing attacks primarily occur when cybercriminals collect personal details from these email replies and use those details to create highly targeted phishing scams.

These types of scams are particularly common during peak vacation seasons, like summer and holidays, when cybercriminals know staff is reduced and colleagues are likely overworked covering extra duties.

The danger of an OOO message lies in providing too much personal information, which helps cybercriminals impersonate you to successfully deceive your colleagues. An attacker can then use a lookalike email address (one that closely resembles a legitimate company address) to target a colleague and request an urgent action.


A typical scam

  • A risky OOO reply might include not just your away dates and the contact details of the colleague covering for you, but also your specific travel plans and other personal information.
  • Having received your OOO reply, possibly from a previous company-wide phishing attempt, the criminal can now pose as you, armed with your private details.
  • They then send an urgent email from a lookalike address requesting sensitive information or for someone to process a payment. Impersonating you, they can include specific details gleaned from your OOO message, making the request seem more legitimate and tricking the recipient into performing a harmful action or clicking a malicious link.
Example of a risky OOO
“I am out of the office visiting my sick grandmother in Florida until [Date]. Please contact John Smith at J.Smith@company.com for all urgent matters.”
Example of a safe OOO
“Thank you for your email. I am currently out of the office and will return on [Date]. For urgent requests, please contact the Sales Support Team at support@company.com.”

How to prevent becoming a target

Follow these steps when setting your out-of-office message to keep yourself and your whole organization safe:

  1. Keep it vague: Your OOO message should be minimal. Include only dates of absence and a generic alternate contact but avoid including any personal details.
  2. Verify: Employees should implement and use a secondary verification process, especially for financial transactions.
  3. Be extra careful during peak vacation season: Summers and holidays are high season for OOO emails. This is the time when organizations may see a higher volume of OOO-based phishing scams.
    Cybersecurity Awareness Month

Cybersecurity Awareness Month

The Cybersecurity & Infrastructure Security Agency has been recognizing October as Cybersecurity Awareness Month for more than 20 years. Their website offers a host of resources including a toolkit for staying safe online. Be sure to check out their video, “Nine Ways to Stay Safe,” which recommends, among other steps, using strong passwords, updating software, turning on multifactor authentication, and backing up data.

To report a cyber incident or suspected cyber incident, use their online form at: cisa.gov/report.

Published in News and Technology

More from NewsMore posts in News »
More from TechnologyMore posts in Technology »

Comments are closed.