Accessibility Tools
Skip to main content
Business chair with out of office sign

Out-of-Office Attacks: How Scammers Exploit Your Absence

29 September 2025

When you set an out-of-office reply, you’re signalling more than just “I’m away.” Attackers are actively using this information to launch a scam known as the out-of-office attack, one of the most common and preventable forms of social engineering today. Understanding how this scam works and how to defend against it is crucial for protecting yourself and your organization.

What is an Out-of-Office Attack?

An out-of-office attack happens when someone identifies that a boss or employee is away from work. Scammers then pretend to be either the boss or a team member, using that authority to trick the employee or owner into doing something they normally wouldn’t. They may request urgent actions like transferring money, buying gift cards, or picking up items on behalf of a boss. Even small amounts, like $50 gift cards, can add up across multiple targets, making this scam both common and highly preventable if proper safeguards are in place.

What’s New

Out-of-office attacks have changed and not for the better. Previously, attackers primarily pretended to be the boss and sent requests to staff. Now, scammers are getting more sophisticated: they are calling the actual boss—sometimes at conferences, meetings, or while traveling—and pretending to be a staff member. A large part of this attack is the setup.  The auto-reply signals that you are a potential target.  This allows them to gather real-time information about your organization, upcoming events, or financial processes. With this added layer, they can craft more convincing requests that are harder to detect. Awareness of these new tactics is critical to staying ahead of attackers.

How AI Makes the Attack Easier

Modern attackers are leveraging AI to automate the process. AI tools scan for out-of-office replies, building a list of who is away and when. Once targets are identified, attackers map the organization to figure out reporting relationships. This allows them to impersonate a boss or a colleague and exploit the trust and urgency typically associated with these roles. With awareness and simple verification steps, these attacks can be stopped before any damage occurs.

Real-World Example

Chris shared a story about a staff member who was on vacation, stepping off a ski lift, having just finished texting with their boss. The boss had wished them a great weekend and said they would only be contacted if something urgent came up.

Shortly after, the staff member received a text requesting the vacationing staffer buy multiple gift cards for an important upcoming event. At first, it seemed like a legitimate work request. The attacker was counting on the staff member to act quickly so they caused the least amount of disruption to their vacation. The scammer was taking advantage of the vacation and the timing.

Instead of immediately responding, the staff member picked up the phone and called their boss. While they were verifying the request, the attacker sent a follow-up email providing an address to deliver the cards. Because the staff member was already in touch with their boss, the scam attempt was immediately recognized and stopped.

Chris used this example to show that

even under pressure and in unexpected situations, taking a moment to verify can completely prevent an attack.

Why Email and Text Are Risky 

Emails and texts are convenient but dangerous for urgent financial matters. Staff often prioritize messages over in-person verification, and attackers know this. The societal tendency to respect authority makes employees less likely to question instructions, especially when they seem urgent or official. By treating these channels cautiously and requiring verification, the risk can be largely eliminated.

Practical Defenses

Here are proven ways to prevent out-of-office attacks and protect yourself and your team:

  • Verify requests by voice: Any financial or sensitive request should be confirmed via phone or an official channel. Although deep fakes are making voice harder to authenticate it's an important step just not the only one.
  • Use security words or passphrases: Agree on phrases between staff that must be used for any transaction. Be sure to change these sporadically especially if someone leaves or is terminated.
  • Route communication through central channels: If someone is unavailable, all requests should go through a switchboard or main office.
  • Avoid detailed out-of-office messages: Minimize the information that can be exploited, such as exact locations or dates away.
  • Empower staff to question authority: Policies should allow employees to verify instructions, even from senior staff.
  • Slow down decision-making: Urgency is a key tactic for scammers. Giving yourself time reduces their chance of success.
  • Train your staff to spot fakes: Teach them to look for red flags like unusual wording, unexpected channels, or requests for gift cards or money. By giving staff clear guidance and a verification process, you reduce the risk of social engineering attacks while keeping operations running smoothly.

Out-of-office attacks are a growing threat, but they are highly preventable with awareness, verification, and internal policies. Recent trends, like attackers calling the boss while pretending to be staff, highlight the need to stay vigilant and update procedures. Treat any unexpected request for money or sensitive information with skepticism and always validate through official channels. Protecting yourself is as much about mindset as it is about tools.

Ready to get serious about security? See how we’re different.

You must login to post a comment.
You are a guest ( Sign Up ? )
Loading comment... The comment will be refreshed after 00:00.

Be the first to comment.

This content was generated with the help of ChatGPT and carefully reviewed for accuracy and clarity by our team.