Phish Food: Could Out of Office Messages Be Dangerous?
February 27, 2018 by Bill Rosenthal

Email login hooked by fishing line

Out of office messages have become an integral part of modern day vacation preparation. After all, who wants to have irritated customer calling your cell phone to find out why their email has been ignored? Most people will write something like:

“Thank you for your email! I am currently out of the country on a cruise until the 20th of March. Please forward your accounting questions to Lisa ( in Accounts Payable or general inquiries to Adam ( Thanks, Joe. “

That doesn’t seem so dangerous, right? Unfortunately, that is incorrect. A simple out of office message can become the perfect tool for phishers – phish food, if you will. With a little creativity and some confidence, a crafty “phisherman” can create a believable message to Lisa in Accounts Payable in regards to getting a wire transfer or account pay off that needs to be done before Joe returns from his cruise. 

The main issue behind this kind of seemingly innocent, but rather dangerous behavior is that too many companies are making cybersecurity a “technology only” issue when the human part of the equation is equally (or more) important. Cyber criminals are going to target your employees and users because they know that people are typically the weak link in a company’s cybersecurity strategy.

How can companies address this problem? 

  • Enforce company-wide training. – From human resources to accounting, every employee needs to be trained as the first line of defense that your organization has against cyberthreats. They must know how to identify a potential threat, how to respond to these incidents, and what they should do if an attack does happen.
  • Remind employees of the strategies in place. – Even the most vigilant employees can suffer from momentary forgetfulness or a lapse in judgement. Make sure that organization’s cybersecurity practices are distributed company-wide and that they are easily accessible for future reference. Try offering practical tips and reminders around the office or via email campaign to keep security on everyone’s mind.
  • Offer positive reinforcement and motivation. – Try to keep employees driven and happy to participate with a bit of motivation. By offering prizes or praise for things like reporting suspicious emails to IT or security or completing training, your employees will want to stay engaged and will likely remember the information better. 

With our CyberSec First Responder™ and CyberSAFE™ training and certification, every employee can help make sure that your company does not become “phish food.” Learn more about our training programs by contacting Logical Operations today.