The dangers of out-of-office auto replies

The dangers of out-of-office auto replies

A simple Out-of-office note to your customers and suppliers can make your business a target for cyber criminals


Also on

Dangers of Out Of Office

As your employees turn off their computers for the Christmas holidays, many of them will set their email to the automatic ‘out-of-office’. It’s simply meant as a friendly note to your customers and suppliers – but did you realise it can make your business a target for cybercriminals?

Ahmereen Qadir, an Associate Director in KPMG’s Cyber Security team, explains why; along with some other pre-holiday tips.

The silly season

The silly season is a notoriously busy time for everyone – and that includes the cybercriminals. Statistics show that phishing attacks often increase in the lead-up to Christmas, as they take advantage of the spike in online shopping and other transactions.

As well as the threat to personal finances, it’s also a risky time for many businesses. With key staff away on holiday, cybercriminals are looking to exploit any weaknesses in their security.

Even the innocent ‘out-of-office’ email reply can leave your business vulnerable to a ‘spear phishing attack’. (While a phishing attack is usually sent to thousands of people, a spear phishing attack targets a specific person – usually those who have the ability to authorise payments, or transfer money from the business).

Where’s the harm?

Let’s describe a typical out-of-office for the holiday period. It might say something along the lines of ‘I’m on holiday until such-and-such date in January’. It might also include the employee’s mobile number, in case of an urgent enquiry. Lastly, the email will often provide the name and details of someone who will be covering for them while they’re away.

While this seems innocent enough, it’s exactly the type of information a cyber-criminal would be looking to gather for a spear phishing attack.

As part of their research, they may also check your activity on Facebook, to track where and how long you’ll be on holiday. 

Who’s holding the fort?

Over the holiday period, it’s particularly important to strengthen the protocols in your accounts department; or for any employee who has authority to approve payments or orders.

A common scam is where the cyber-criminal poses as a vendor or supplier to the business; and targets those with authority to make payments. Having received the out-of-office details, the criminal may then contact the replacement colleague and claim there were arrangements in place – either for a payment to be made, or some other transaction.

There are a number of ways that a less experienced employee can feel pressured into making a fraudulent payment. For instance, they may send a ‘please pay this’ email that appears to be from the boss. Or they could be in possession of a real invoice that your business is expecting. ‘Fake invoicing’ is where the scammers intercept a business’ email account, and then tweak the invoices before sending them to customers.

Taking precautions

Attackers may be waiting for the right time to strike – when a staff member is away on holiday or overseas, before they send their fake payment request.

Before you head off for the holidays, ensure that all staff are trained to recognise suspicious emails. And make sure your usual payment protocols will be followed; such as purchase orders, two-person authorisation, transfer thresholds, and personal verification.

Some other tips:

  • Be wary of any creditor who is demanding payment just prior to Christmas, or who claims payment was pre-arranged by another staff member.
  • Always verify the bank account you’re paying into. Never, ever follow an instruction that ‘we’ve changed our bank account’ without taking all steps to verify it.
  • Forward email responses instead of hitting reply, so you can type out of the genuine email for suppliers

Don’t over-share

To sum up, it’s a good idea to review what you’re currently sharing online.

For instance, if you have a LinkedIn profile, it reveals where you work, what your role is, and who your contacts are. Some people also include their email and phone number, or list it elsewhere, such as on their company website. You may also advertising your whereabouts – including where and when you’re on holiday – via Facebook. If a cybercriminal decides to target you, that’s a lot of information already at their disposal.

Before you hit enter, think carefully about the kind of information you’re providing, and keep the details to a minimum.

KPMG Enterprise can also help you with all other aspects of your IT planning, set-up and cyber-security. To find out more please contact your KPMG advisor or your local KPMG office.

© 2021 KPMG, a New Zealand Partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal