Gmail is awash with bait attack phishing emails

Email warning
(Image credit: Shutterstock)

Cybercriminals have begun researching potential victims in order to collect information that will help improve the odds of their phishing attacks being successful.

According to a new report from the IT security company Barracuda Networks, these bait attacks are one technique employed by cybercriminals to test out email addresses they've acquired and see who is willing to respond.

The firm's researchers surveyed 10,500 organizations to find that just over 35 percent of them were targeted by at least one bait attack in September 2021 with an average of three distinct mailboxes per company receiving one of these messages.

As the emails sent out in bait attacks don't include any phishing links, malicious attachments or malware, they're able to bypass many email security systems and arrive successfully in organizations' inboxes.

Bait attacks

Bait attacks, which are also known as reconnaissance attacks, are usually emails with very short or even empty content. This is because the goal of these emails is to verify the existence of a victim's email account or to get the victim involved in a conversation that could lead to them transferring money or leaking their credentials to the attacker.

In order to avoid being detected, the cybercriminals launching these attacks typically use brand new email accounts from free email services such as Gmail, Yahoo or Hotmail to send out their bait emails. In fact, over 90 percent of bait attack emails were sent using Gmail. At the same time, they also rely on low volume, non-burst sending behavior to get past any bulk or anomaly-based detectors.

Barracuda's research team ran an experiment in which they replied to a bait email that had a subject line of “HI” and no content in the body of the email. Within 48 hours of responding to this email, the targeted employee received a phishing attack impersonating Norton LifeLock.

To protect your organization and employees from bait attacks, Barracuda recommends deploying AI to identify and block these kinds of attacks, training staff to recognize and report bait attacks and not letting bait attack emails sit inside users' inboxes.

Looking to further protect yourself online? Check out our roundups of the best endpoint protection software, best identity theft protection and best malware removal software

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.