As Chapman’s Chief Information Security Officer, I know summer on campus has its own rhythm: a little more breathing room, a chance to catch up, and maybe even a slightly less crowded calendar.

At Chapman University, that seasonal slowdown is real. Unfortunately, it’s also something cybercriminals know how to use to their advantage.

When campus activity eases up, attackers often look for opportunities in quieter inboxes, out-of-office replies, and moments when it is harder to quickly verify an unusual request.

Why Summer Is Quietly Risky

Summer doesn’t create new security problems. It just gives old ones a better opening. 

  • More out-of-office messages
    Helpful for colleagues, but also helpful to attackers trying to see who’s away and who they might impersonate. 
  • Fewer people available to verify requests.
    That “quick check” gets harder when teammates are out, or schedules are lighter. 
  • Greater reliance on fast decisions.
    Moving quickly is helpful, but this is also when a short pause can make all the difference. 

What to Watch For 

Attackers don’t usually need new tricks; they just need good timing. 

A few common summer scams seen across higher education include: 

  • Quick favor” emails appearing to come from someone who’s out of office.
  • Urgent payroll or direct-deposit change requests.
  • Package delivery alerts while traveling or expecting shipments.
  • Vendor or invoice requests during lighter staffing periods.

If something feels even a little off, or oddly urgent, it’s worth taking a second look. 

Your 3-Minute Summer Security Tune-Up 

No training session needed, just a quick reset on a few basics. 

1. Pause on urgency

If a request involves money, passwords, or sensitive information, it’s worth slowing down for a moment. 

Most legitimate requests can handle a short pause.

2. Verify outside of email

For requests involving: 

  • Payroll or direct-deposit changes 
  • Gift cards 
  • Financial transactions 
  • Sensitive or restricted data 

Use a known phone number, Teams message, or in-person check to verify—rather than replying to the email or searching online for contact information.

3. Keep out-of-office replies simple

Avoid sharing: 

  • Detailed schedules 
  • Internal roles or escalation paths 

For replies going outside Chapman, “Out of office, back next week” is usually all you need. 

4. Report anything suspicious

If something doesn’t look right, report it. 

Use the Report Phish button in Outlook or forward the message to Chapman’s Information Security team at abuse@chapman.edu. 

Best case, it’s nothing. Better case, it helps protect someone else. Either way, reporting is always the right move, and there’s no penalty for sending something that turns out to be harmless. 

A Quick Reminder 

Most cyberattacks don’t start with highly sophisticated tools. 

They rely on: 

  • Being helpful 
  • Acting quickly 
  • Trusting familiar names 
  • Not wanting to slow things down 

Summer just makes those moments a little easier for attackers to find. 

Final Thought 

Enjoy the quieter pace—it’s well earned. Just remember, while campus may slow down a bit for the summer, attackers don’t. They’re still at it, now often with AI tools, and likely a calendar that’s less crowded than most of ours. Wishing you a restorative summer, a little more breathing room, and ideally fewer suspicious emails requiring your attention.


Stay safe, stay vigilant!
Keith Barros
Chief Information Security Officer (CISO)