August 11, 2025 - News

The summer slowdown is a busy time for cybercriminals. While your team sets their out of office replies and heads off for a well-earned break, attackers are watching closely, and many automatic messages give them exactly what they need.

These short replies are meant to be helpful. But when they reveal names, job roles, absence dates or contact details, they can quietly open the door to phishing scams, impersonation, and fraud. What looks like polite business etiquette can, in the wrong hands, become a blueprint for attack.

At a time when phishing and Business Email Compromise (BEC) scams continue to rise, businesses cannot afford to overlook the risks hidden in everyday communication.

“Attackers don’t always need to breach a system. Often, they just need the right name, the right timing, and a believable message. Out of office replies make that easier than most people realise,” says Kamran Bahdur, our Chief Information Officer. 

5 Ways Out of Office Messages Create Openings for Attackers

Out of office replies seem harmless, but they can quietly introduce serious cyber risks. Below are five ways these automatic messages can be exploited:

1. “I’m away until…” helps hackers pick their moment
   A message that says someone is away until 19 August removes a layer of protection. Suspicious activity, such as login attempts or urgent payment requests, is more likely to go unnoticed. Colleagues may also act on messages without waiting for confirmation, especially if urgency is implied.
2. Naming colleagues gives scammers someone to impersonate
   When staff include a deputy’s name and contact details, they unintentionally give attackers someone else to mimic. A fake message from that person is more likely to succeed if the recipient has just seen their name in a trusted reply.
   This tactic is often used in fraud scenarios, including false invoices, payroll redirection, and fake document sharing.
3. Job titles reveal how your organisation works
   Out-of-office replies that include job titles, teams, or reporting lines help attackers map how the business works. This makes it easier to identify who to spoof, who holds approval authority, and how requests typically flow.
   “You would never publish your internal hierarchy to the public. But out of office replies often do just that,” adds a senior consultant from FLR Spectron.
4. Your email format tells them who else to target
   Replying from a structured address like firstname.lastname@company.com confirms the format is valid. Attackers use this to guess other email addresses or create fake domains that closely resemble your own. If your message also includes signatures or internal language, that can further aid a spoof.
5. Internal tone makes fake emails harder to spot
   Out-of-office messages that reflect internal style, naming conventions, and tone can make it easier for attackers to construct fake messages that pass as authentic. This is especially dangerous for organisations handling payments, logistics, or supplier communications where trust is assumed.

What not to include in your out of office reply

Avoid sharing:

1. Specific dates of absence
2. Personal travel details or reasons
3. Names or contact details of colleagues
4. Job titles or structural references
5. Personal mobile numbers or private addresses
   

Use neutral language such as:
“I am currently unavailable. For urgent matters, please contact our main office inbox.”

Where to share availability instead

The right people need to know who is off, but that information should always remain internal. However, if you work in a collaborative role, your colleagues may need to know when you’re off. If that’s the case, you should use one of the following formats:

1. Shared calendars (restricted to internal access)
   
2. HR platforms or leave-tracking tools
   
3. Slack status updates or internal scheduling systems

These options keep availability clear without exposing details externally.

Make it policy, not personal

Too often, out-of-office replies are written casually or left to individual judgment. 

But they are still external communications, and they carry the same risk as any public-facing message.

“Out of office replies often get written quickly and forgotten, but they are still external communications. That means they need to be treated with the same care as anything else that leaves your organisation. If you allow people to write their own replies without guidance, you’re creating an inconsistent message and an unnecessary risk. Set a simple template, keep the content neutral, and make reviewing those settings part of your regular security hygiene,” says Kamran Bahdur, our Chief Information Officer. 

An automatic reply should confirm absence. That’s all. If it shares more than that, it’s doing too much.

If your teams are setting auto-replies this summer, now is the right time to review what they’re saying and who might be reading them.

Final word

Out of office replies are helpful, but they can also be risky. When they include too much detail, they hand attackers the tools they need to impersonate, mislead, and bypass normal checks.

At FLR Spectron, we help organisations close the security gaps created by everyday habits. From phishing resilience to secure communication practices, we support businesses that want to stay protected without slowing down how they work.