Why cyber risk becomes a hotspot over summer

Things tend to feel calmer in the summer, even if they aren’t. There are fewer emails and meetings but more people on annual leave. And threat actors know it.

The truth is that, when it comes to breaching your company’s systems, an opportunist doesn’t need your systems to fail. What they really need are just three things:

People to be slightly harder to reach than usual

Processes people rely on to slow down

Checks to feel less certain¹

In summer, they get all three.

Most businesses wouldn’t simply change the way their systems run over summer, even if the way they’re used does change.

With more people on annual leave, authority is often delegated and approvals can take longer². That has an impact on the financial side of things. It’s not unusual for payments, access requests or queries from suppliers to be handled by people who wouldn’t usually handle them.

Microsoft’s threat intelligence systems have observed something very interesting about these mellower periods. They’ve noticed that hackers will time their attacks for periods when people at work are distracted or out of their usual routine³. Because that gives suspicious activity its best chance of going undiscovered.

As is true across the board, when fraud is successful, it’s usually because of a mistake someone made, not a chink in their cyber defence⁴.

Think about phishing emails, payment diversion requests and impersonation attempts. All of these things rely on a sense of urgency, familiarity and authority⁵ – all of which are much more effective when you can’t quickly double-check something with a colleague. Research done into the psychology behind phishing shows that authority bias is one of the strongest weapons attackers use⁶.

Out-of-office messages don’t help. We all put them on when we’re away from the office for a good amount of time, but they tend to contain quite a bit of detail that can tell the wrong people exactly when someone isn’t at their desk and who’s replacing them in the meantime. It’s no wonder that OOO replies have been continually linked to impersonation attempts during the holiday periods⁷.

It’s not that employees suddenly get careless during the summer. It’s that the usual checks they casually rely on are more staggered – or not there at all.

To keep things moving when it comes to payment and approval processes, it’s normal for teams to create temporary workarounds: things like delegated sign-offs, email-based approvals and even some manual overrides⁸. There’s nothing wrong with this – most of the time, it’s not only pragmatic but necessary.

The problem is that this is exactly the sort of space that payment diversion fraud thrives in⁹. As we mentioned before, invoice redirection and business email compromise don’t usually rely on breaking controls, but getting people to go around them¹⁰. It doesn’t take much – a polite change-of-details email with a slightly urgent tone, ensuring the request feels routine enough that it isn’t questioned.

Most organisations won’t adapt their security controls for the summer, even though the way employees use these systems does change.

There might be fewer people monitoring the cyber side of things, while people are logging in from unfamiliar places, using hotel Wi-Fi, working on the move, or accessing systems at odd hours.

From a security point of view, this can create problems in the form of more ‘unusual but legitimate’ behaviour. And when everything looks slightly unusual, genuinely risky, illicit activity is easier to miss¹¹.

So while the technology hasn’t suddenly become weaker, the conditions have become much more favourable for threat actors.

Fraud is costly, and it’s easy to focus on that, but it’s rarely the hardest part.

If an incident happens at your business over the summer, it’ll likely be a lot more disruptive, because it takes longer to get a response from anyone and people are on leave. So, the actions you’d normally take to remediate things happens over a longer frame of time, and your business ends up dealing with regulators and insurers when your capacity is already stretched¹².

That’s why planning matters. Don’t worry, you don’t need to lock everything down until September. You just need to be very clear on your company’s processes during the summer so that there are clear rules for them to follow, like guidance on what never changes (even during cover periods) and a clear route for them to escalate anything that doesn’t feel right.

When those basics are clearly laid out, there’s less uncertainty – and uncertainty is what gives fraud the best chance¹³.

The information contained in this article is for general information purposes only. It does not constitute legal or other professional advice and cannot be relied upon as such. Should you have any queries, we recommend that you consult the appropriate professional adviser. The links provided in this document are for reference only. Please note that we are not responsible for the content of any linked site.

Sources:

1. https://www.ncsc.gov.uk/guidance/phishing

2. https://www.gov.uk/government/collections/cyber-security-guidance-for-business

3. https://www.microsoft.com/en-gb/security/security-insider/threat-landscape/holiday-cyber-risks

4. https://ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/learning-from-the-mistakes-of-others-a-retrospective-review/phishing/

5. Phishing | NI Cyber Security Centre

6. Exploring Susceptibility to Phishing in the Workplace - the University of Bath's research portal

7. https://stopthinkfraud.campaign.gov.uk/

8. https://www.gov.uk/government/collections/cyber-security-guidance-for-business

9. https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/annual-fraud-report-2025

10. NCSC_BEC_Guidance.pdf

11. Detection practices | National Cyber Security Centre

12. https://www.fca.org.uk/news/news-stories/firms-strengthen-anti-fraud-systems-must-treat-victims-fraud-better

13. https://www.ncsc.gov.uk/collection/incident-management