Cybercriminals have begun researching potential victims in order to collect information that will help improve the odds of their phishing attacks (opens in new tab) being successful.
According to a new report (opens in new tab) from the IT security company Barracuda Networks (opens in new tab), these bait attacks are one technique employed by cybercriminals to test out email addresses they've acquired and see who is willing to respond.
The firm's researchers surveyed 10,500 organizations to find that just over 35 percent of them were targeted by at least one bait attack in September 2021 with an average of three distinct mailboxes per company receiving one of these messages.
As the emails sent out in bait attacks don't include any phishing links, malicious attachments or malware (opens in new tab), they're able to bypass many email security systems (opens in new tab) and arrive successfully in organizations' inboxes.
Bait attacks
Bait attacks, which are also known as reconnaissance attacks (opens in new tab), are usually emails with very short or even empty content. This is because the goal of these emails is to verify the existence of a victim's email account or to get the victim involved in a conversation that could lead to them transferring money or leaking their credentials to the attacker.
In order to avoid being detected, the cybercriminals launching these attacks typically use brand new email accounts from free email services (opens in new tab) such as Gmail (opens in new tab), Yahoo or Hotmail to send out their bait emails. In fact, over 90 percent of bait attack emails were sent using Gmail. At the same time, they also rely on low volume, non-burst sending behavior to get past any bulk or anomaly-based detectors.
Barracuda's research team ran an experiment in which they replied to a bait email that had a subject line of “HI” and no content in the body of the email. Within 48 hours of responding to this email, the targeted employee received a phishing attack impersonating Norton LifeLock (opens in new tab).
To protect your organization and employees from bait attacks, Barracuda recommends deploying AI (opens in new tab) to identify and block these kinds of attacks, training staff to recognize and report bait attacks and not letting bait attack emails sit inside users' inboxes.
Looking to further protect yourself online? Check out our roundups of the best endpoint protection software (opens in new tab), best identity theft protection (opens in new tab) and best malware removal software (opens in new tab)