Last year, a small consulting firm in the Midwest gave a new virtual assistant access to email and calendars. The setup worked well—until it didn’t.

One morning, the assistant received an email that appeared to come from the boss. It asked for an urgent wire transfer update tied to a client payment. The message looked routine, matched the executive’s writing style, and created just enough pressure to skip a second check. The assistant clicked the link, entered credentials to “verify,” and attackers were in. Within hours, they had access to financial systems and internal communications. The breach cost six figures to contain and triggered months of damage control with shaken clients and partners.

This kind of stories are becoming more common and also a threat for the company. In reality, this kind of problems does not only target big FORTUNE 500 companies, but many small business owner suffer from lack of knowledge.

As executives rely more on virtual assistants to manage inboxes, schedules, payments, and sensitive files, those assistants are becoming one of the most exploited cybersecurity risk vectors. Proofpoint has warned for years that executive assistants are more likely to be targeted by phishing and social engineering attacks than the executives they support. The reason is simple: assistants often have broad access to valuable systems but face less rigorous security scrutiny.

This risk isn’t limited to remote assistants. In-house assistants are just as vulnerable. Sitting inside the office doesn’t protect someone from a convincing phone call, a spoofed email, or a fake internal request. Social engineering works by exploiting trust and routine, not location. Whether remote or onsite, assistants are conditioned to help, move quickly, and resolve urgent issues—exactly what attackers rely on.

Remote assistants often work from personal devices and home networks that lack corporate-grade protections. In-house staff, meanwhile, may have even broader access and a false sense of safety inside the perimeter. In both cases, the outcome is the same: phishing, credential theft, and business email compromise remain the top entry points. Human error still accounts for up to 95 percent of security breaches, and when that error comes from someone with trusted access, the blast radius is large.

The data supports this shift. Many ransomware incidents begin with compromised assistants or administrative staff. The average global data breach cost now sits around $4.88 million. Insider-related breaches—whether remote or internal—often take longer to detect because the activity looks legitimate. Freelance assistants may lack training and tools, while internal assistants may be over-trusted and under-monitored.

Just to be clear, assistants aren’t dangerous because of bad intent. They’re dangerous because of high trust, high access, and constant urgency. One well-crafted spear-phishing email or phone call can unlock email systems, cloud drives, accounting software, or payment platforms.

Assistants remain essential. The solution isn’t to avoid them—it’s to secure them. Treat every assistant as a privileged user, regardless of where they sit. Enforce multi-factor authentication, limit access by role, require secure credential management, and provide ongoing phishing and social engineering training tailored to real assistant workflows.

As we move deeper into 2026, attackers will keep targeting people, not just systems. Recognizing assistants—remote and in-house alike—as a primary risk vector is the first step.