If you’re a Virtual Assistant (VA) or Personal Assistant (PA), your clients trust you with more than their diaries and emails.
You have access to inboxes, calendars, cloud storage, payment systems, social media accounts—sometimes everything that matters to how their business runs.
That trust is powerful. But it’s also exactly why you could be their biggest risk if cybersecurity isn’t on your radar.
This isn’t about blaming VAs and PAs. It’s about facing a truth most freelancers and assistants were never properly taught:
Hackers don’t need to go after your client directly if they can get to them through you.
This blog is here to change that.
Here’s how attackers would target you—and how you can make sure you’re never the reason your client gets hacked.
You’re Valuable—Because You’re Connected
From a cybercriminal’s point of view, Virtual Assistants and Personal Assistants aren’t just another target—they’re an ideal one.
You’re trusted to approve invoices, click links, download attachments, and manage day-to-day communication.
This level of trust creates opportunity—because if an attacker compromises your access, they inherit that same trust instantly.
You’re managing passwords, cloud drives, CRM systems, booking platforms, and payment gateways for your clients.
Every one of those platforms is a potential entry point, and you’re the one holding the keys.
You’re often working remotely, across different networks, devices, and locations.
This flexibility, while brilliant for clients, means security isn’t locked behind a single office firewall anymore. You’re carrying client access with you, wherever you go—and so are the risks.
You’re usually juggling multiple clients, platforms, deadlines, and tasks at once.
Attackers know busy people are less likely to double-check. They rely on speed, multitasking, and small assumptions to slip past you unnoticed.
And crucially—you’re connected to your clients’ social media accounts.
If a cybercriminal gets control of a Facebook or Instagram account, they’re not just stealing followers.
They can access connected advertising accounts, payment methods, and business pages, allowing them to run fake ads, redirect sales, and burn through thousands of pounds before anyone notices.
In short:
You’re connected to the data, systems, money, and reputations attackers care about most.
And you’re operating in an environment where one small mistake can unlock far more than just your own inbox.
Everyday Risks That Open the Door
You don’t need to be careless for something to go wrong.
You just need to be busy—and attackers know that.
Here’s where the real risks usually creep in:
1. Accidentally Sharing Access
When you’re under pressure, sharing a document quickly or forwarding an email chain feels harmless.
You just want to get things moving.
But every time you create an open link, forward a document to your personal inbox, or adjust sharing settings to “anyone with the link,” you’re expanding the circle of trust without realising it.
Open links can be guessed, intercepted, or accidentally shared further.
Personal inboxes often have weaker security settings than business accounts.
And forwarded email threads often include sensitive information attackers would love to find—like login details, invoice numbers, or private client notes.
Attackers aren’t always looking for passwords.
Sometimes they’re looking for small pieces of context they can use to craft better scams—or find easy ways into larger systems.
It’s not just about what you share.
It’s about how much control you lose once it’s outside secured channels.
Even one open link or forwarded file can be all they need.
2. Accepting Calendar Invites Without Question
Calendar invites are a staple for assistants. They land in your inbox all day, often attached to real meetings or new project schedules.
But attackers know that too—and they’ve started using fake calendar invites as a delivery method for malware or phishing.
It could look like a Zoom invite from a supplier.
Or a Microsoft Teams request for a “project review.”
Or a vague “updated meeting link” for a client.
Inside the invite could be a link to a fake login page—designed to steal your credentials—or an attachment that silently installs malware when opened.
Because it looks routine, you’re less likely to question it.
And because calendar invites often sync automatically with your apps and devices, a malicious link can spread faster than you think.
Unless you’re expecting the meeting—and you double-check where the invite really came from—you’re handing attackers a shortcut into your inbox and your systems.
3. Shared Devices Without Proper Security
Using your own laptop or home tablet for client work isn’t unusual.
It’s flexible. It’s easy. It saves time.
But shared devices—those used by family members, housemates, or anyone outside of your business—introduce risks you can’t always control.
Someone else could install apps without realising they’re malicious.
They could visit compromised websites, download infected files, or accidentally approve dodgy browser extensions.
And if your device is logged into client accounts, cloud systems, or email platforms at the time?
That infection can move straight into your professional environment without you noticing.
Even simple things like “remember me” sessions or open tabs create opportunities.
Once a system is compromised, the attacker doesn’t need to “break in” again—they ride the access that’s already open.
4. Saving Passwords in Browsers or Notes Apps
Browsers like Chrome, Edge, and Safari make it easy to save passwords.
And at first glance, it feels safe—after all, it’s your device, right?
But here’s the problem:
Saved passwords are often stored locally on your machine, and if your laptop, tablet, or phone gets compromised—physically or digitally—attackers can extract those saved credentials in minutes.
They don’t even need to crack anything sophisticated.
Basic malware or simple password recovery tools can pull every saved login out of a browser vault without needing admin access.
If you’re managing client logins, payment systems, cloud storage, or social media accounts, saving those passwords inside a browser—or writing them into a Notes app—means you’re handing over keys to someone who doesn’t need to hack anything.
Once they’re in, they can access not just your accounts, but anything your clients trusted you to manage too.
The safer option?
Use a reputable password manager designed to encrypt your data properly—and don’t rely on built-in browser features to protect high-value logins.
5. Downloading Brand Assets or Templates from Random Sites
We all love a good shortcut—templates, calendars, content planners, logo mockups.
But free resources from random forums, public drives, or unverified websites aren’t just freebies.
They’re also common delivery vehicles for malware.
Attackers package malicious code inside files that look useful and clean—things you’d expect a VA or PA to download.
It could be buried in a Word doc, a spreadsheet macro, or a PDF template.
When you open the file, you trigger the hidden code—and you might not even realise it.
If you’re downloading outside of official sources, you could be installing malware on your device without clicking anything obviously wrong.
One bad template is all it takes.
Real World Example: When an Assistant Got Caught Out
A freelance VA managing two client accounts received what looked like a shared Google Doc invite. It appeared to come from her client.
The document title was vague but believable: “Client Contract Updates 2024.”
She clicked. It asked her to log in again—a small glitch, she thought. She entered her credentials.
In doing so, she handed over her Google account password to an attacker.
Over the next two hours:
🔹The attacker downloaded every file in her Drive.
🔹They accessed two client folders containing contracts, financial data, and marketing plans.
🔹They used the assistant’s account to send fake invoices to her clients.
The breach wasn’t spotted until days later—and it cost one client over £15,000 in reputational and legal costs.
All because she trusted something that looked routine.
How to Stop Being the Weak Link
The first step is recognising that cybersecurity isn’t about installing another app or ticking a few compliance boxes. It’s about how you behave day to day, especially when you’re busy.
That means slowing down before you click.
It means questioning calendar invites, even if they seem harmless.
It means treating password storage seriously, instead of relying on browsers or unsecured notes apps because it’s quicker.
It’s about being selective with where you download resources and templates—and not trusting a file just because it looks useful or comes from a friendly message.
The technical tools—password managers, antivirus software, secure sharing platforms—matter.
But what matters even more is building the habit of thinking critically before you react.
That’s the difference between a business that stays safe and one that gets caught out without even realising how it happened.
Cybersecurity isn’t about paranoia. It’s about small moments of awareness stacked up over time—moments that can make all the difference when it counts.
If you can develop that mindset, the rest follows.
And if you’re serious about protecting yourself and the businesses that trust you, the right training turns that mindset into a skill set.
Final Thoughts: Your Clients Trust You—Make Sure They Can
Cybercriminals don’t just break in—they slip in through the gaps we don’t see.
Not because you’re careless.
But because you’re busy, trusting, and focused on getting things done.
This blog showed how small, everyday moments—sharing access too widely, trusting a calendar invite, downloading a quick template, saving passwords for convenience—open doors that attackers are waiting to walk through.
It’s not about blaming yourself for being efficient.
It’s about understanding how that efficiency can be used against you if you’re not careful.
The tools you use—password managers, secure file sharing, antivirus software—help.
But tools alone aren’t enough.
It’s the habits, awareness, and small decisions you make daily that protect your clients and your business.
And that’s where real cybersecurity starts:
Not with another app, but with a mindset shift.
At Cyber Rebels, we don’t do tick-box training or scare tactics.
We run live, human-first sessions that show real-world professionals—like VAs and PAs—how attackers actually operate, where the real risks are, and how small changes in behaviour close those gaps for good.
💬 If you’re serious about protecting the businesses that trust you—and turning cybersecurity into a strength, not a stress—get in touch with Cyber Rebels.
We’ll help you go from vulnerable to vigilant—without the jargon, lectures, or fear.
Because cybersecurity doesn’t start with software.
It starts with you.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
