Why OOO Messages And New Employees Are Major Business Security Risks

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Ed Bishop is CTO and Co-Founder at cybersecurity company Tessian.

Hackers don’t hack companies; they hack the people who work for them — the human layer of an organization. This might be one of the most simple yet important statements about business security. Hacking humans often doesn’t require any advanced technology or special skills. Bad actors can find everything they need to trick an employee using an email account and some simple internet searching. 

These kinds of social engineering attacks can be highly effective — just look at the Twitter hack in 2020. All it took were a few impersonations to trick Twitter employees and bring down one of the world’s most powerful social media sites. These kinds of attacks are on the rise, too. My company’s researchers saw a 15% increase in social engineering attacks over email during the last six months of 2020.

The more bad actors know about an employee, the more personalized and convincing their attacks will be. A recent Tessian report shed light on two human layer security vulnerabilities — out-of-office (OOO) messages and new employees. The data provides new insight into how companies can safeguard against these attacks. 


Most people don’t think twice before creating an out-of-office email. In fact, Tessian’s survey of 4,000 employees found that 98% automate their OOO messages. But these email responses can be a gold mine for hackers looking to trick a colleague into sharing sensitive information, login credentials or money. 

In the first instance, many hackers will send a seemingly innocuous mass email to a company’s employees, like a fake newsletter. These emails are designed to trigger OOO messages that provide valuable information, such as how long an employee will be gone, where they’re going and the contact information of a colleague.

These details are the raw material for a convincing email scam. Imagine receiving this email from what appears to be your boss’s personal email: “Hey, I’m visiting my in-laws in Florida and forgot to invoice our consulting partner for the work they did last month. Can you process the attached, using the bank account details…