Threats 101
Maya Pattison
Dec 2016

Are Your Employees’ Holiday Plans Putting Your Business at Risk for Phishing Scams?

Photo by Source


Today, ransomware is delivered by 97% of phishing emails. Combine that with our recent survey findings that 1 in 5 organizations have suffered a successful phishing attack, and it’s not surprising that phishing scams are keeping IT pros up at night. All year, organizations have worked hard to train their employees to avoid clicking on bad links and avoid clever scams, but now that people are signing off for the holidays there’s one simple habit that might be putting your company at greater risk without you realizing it. Companies hoping to avoid phishing attempts this holiday season should encourage their employees to think twice before setting up an out-of-office (OOO) automated email.

It’s become common practice to set up an OOO email alert when you plan to be away from work for an extend period of time. The majority of us don’t put too much thought into these messages, which typically include the dates we’ll be gone and contact info for a coworker people can get in touch with while we’re away. Unfortunately, that’s exactly the type of information cybercriminals love to come across. It provides them with everything they need to create a highly effective spear phishing email.

Here’s an example of a typical OOO email and cybercriminal jackpot:


Why is this such a jackpot? For example, a cybercriminal can pull information out of your email, pretend to be you, reach out to your manager (who you named and provided contact information for in your OOO alert), say you lost you computer and that they need a document reviewed. By knowing the managers name, the dates of the vacation, and some other person information found around the web, the criminal maybe able to trick the manager into opening the infected attachment. This effectively gives the criminal access to a system without having to break in. You handed them the keys to the house.

To avoid oversharing in OOO emails, encourage your users to:

  • Keep OOO emails short
  • Don’t provide insight into chain of command (who your supervisor is)
  • Avoid providing email addresses for other people in the organization.
    • In line with this precaution, KnowBe4 offers a free tool The Email Exposure Check that allows you to search for a list of your organization's exposed addresses and where they found them. The more email addresses that are exposed, the greater the risk for a successful phishing attack.
  • Avoid listing your exact length of vacation
  • If possible, configure your email so that different out-of-office replies are sent out based on whether the message is going to someone inside or outside your company.


Looking for more anti-phishing tips?

For additional tips on how to keep your employees from falling for phishing scams this holiday season and beyond, we created the Phishing FIeld Guide.  

Maya Pattison

Maya Pattison

Maya is the Director of PR at Barkly. She has a strong background in media relations, crisis communication and media training. When not at the office, Maya expresses her creativity through digital photography and abstract painting.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.