Business Email Compromise (BEC): Security Risks from your ‘Out-of-Office’ Reply

4 min readApr 4, 2020


Editor’s Note: This story originally was found on the Agari Email Security blog.

By Armen Najarian

As if coronavirus hasn’t put enough of a damper on vacation schedules this spring, corporate employees taking time off might want to rethink their “out of office” email settings for fear a different threat: Business Email Compromise (BEC) scams.

Sure, the temptation to share humorous details about your big spring adventure can be irresistible for a certain species of corporate denizen (especially my own genus, marketing). And yes, customers, partners, and colleagues appreciate auto-replies with contact details for co-workers handling your duties while you’re out.

But the information you provide in those messages can actually create a number of security risks.

Phishing, BEC, and other advanced email attacks targeting businesses increasingly rely on impersonating legitimate employees. And you’d be surprised how the information gleaned from out-of-office emails during sick days or vacations can be used to pull off scams.

The cost to your organization can be jaw-dropping. BEC scams alone lead to $700 million in business losses each month — $26 billion just since June of 2016, according to the FBI.

An ‘Out of Office’ Bonanza for BEC Rings

Think about it. While out-of-office replies assure people that you aren’t ignoring their emails, they also provide cybercriminals with valuable intel.

For one thing, they validate your email address. When you have an out-of-office email on auto-respond, that reply is sent to everyone who sends you an email — including email fraudsters collecting information about you or your organization.

Out-of-office messages also hand over the design and formatting of your company’s email signatures, as well as contact information for potential targets. All too often, they include specific details that can be used to impersonate you during your absence — including how long they can get away with it.

By exploiting our innate desire to help (or avoid upsetting) those we believe to be a trusted colleague or boss in need, these con artists can turn a simple email asking for “a big favor while I’m out” into a goldmine.

An admin listed in your auto-reply, for instance, can be targeted in gift card rackets. Other employees with access to sensitive systems or data can be tricked into making payroll diversions, emailing staff W-2 information, wiring payments for bogus expenses, or revealing login credentials to email accounts or other mission-critical systems.

Phishing: The First Cut’s Never The Deepest

If perpetrators manage to infiltrate even a single employee email account as part of these schemes, they gain access to all of the account owner’s contacts, as well as archived and ongoing email conversations (including out-of-office messages from colleagues, customers, and others) that can be mined for far more remunerative attacks.

In some cases, fraudsters can move laterally through an organization, pirating more email accounts on their way to accessing systems housing valuable customer data, IP, or business strategies.

More than 90% of all corporate data breaches are believed to involve a malicious email somewhere along the way, according to the 2019 Verizon Data Breach Investigations Report. And Ponemon Institute estimates that each breach now costs companies an average $8.2 million per incident.

The Answer: Training and Technology

There are steps organizations can take to help mitigate the risk of falling victim to these and other advanced email attacks.

Some cloud-based email platforms allow users to set up one auto-reply message for external recipients that excludes sensitive information, and another for internal recipients that’s more detailed, for instance. Or employees can email appropriate parties ahead of an absence, providing them with contacts and other information they may need while the employee is out.

But I’m not under any illusion that these measures are enough on their own. They won’t, for instance, protect against malicious emails launched from compromised email accounts belonging to trusted colleagues, outside suppliers, or customers. And it’s not like out-of-office details are the only kinds of information cybercriminals collect and weaponize in email scams targeting your company.

Businesses should train employees to recognize malicious emails by using actual new attacks as part of phishing simulation training. They should also implement advanced phishing and BEC security to prevent deceptive emails from even reaching the inbox in the first place.

Avoiding the Post-Vacation Blues

According to the FBI, BEC attacks now account for half of all losses from cybercrime. And data in our latest trends report shows 31% of all BEC attacks impersonate specific individuals, up from just 12% during the first half of 2019.

Proper training and technologies can help employees prevent falling victim to email scams that impersonate people we know and trust. But we could all also be more careful about what we share in our out-of-office emails. Especially those of us in marketing.

For more about BEC scams and other advanced email threats, download the Q1 2020 Email Fraud Trends and Identity Deception Report from Agari.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.