Skip to main content

Businesses are drowning in email 'bait' attacks

(Image credit: Image Credit: wk1003mike / Shutterstock)

More than a third of global businesses are targeted by at least one “bait attack” per month, a new report from cybersecurity company Barracuda Networks suggests.

The report, based on an analysis of 10,500 organizations, claims that just over 35 percent were on the receiving end of at least one such attack in September 2021. The average company receives a bait in three distinct email inboxes, it was added.

A bait email is part of a phishing attack. The goal is to determine whether or not the targeted email address is active. An attacker will usually send either an empty email message, or something very simple, just to see if they receive an undeliverable alert or response from the victim. If the recipient responds, attackers then follow up with the actual phishing email, Barracuda explained.

By sending out a very short message, and by making sure they keep the volume of these emails down, attackers can make sure they don’t get flagged by security systems. Most of the time, they use one of the world’s most popular free email services - such as Gmail, Yahoo or Hotmail - to create a brand new address. In fact, Gmail accounts for 91 percent of all bait attacks.

Barracuda recently managed to test out how these attacks work, when one of its employees replied to a bait attack. Within 48 hours, the employee received a follow-up email with a targeted phishing attack. 

“Cyber attackers are always looking for new and innovative ways to improve the efficiency and success-rate of their carefully composed spear-phishing attacks, and whilst typically harmless in their own right, bait attacks are posing a serious threat to business data by targeting susceptible staff,” said Michael Flouton, VP Email Protection Products for Barracuda Networks. 

“The best method of tackling this growing threat, which are largely undetectable by traditional filtering technology, is by training users on how to recognise and report them. It’s important that bait attacks are removed from an inbox as soon as they identified, to prevent users from opening or replying to them, and automated incident response software will identify and remediate these messages in minutes, preventing further spread of the attack and helping to avoid making your organisation a future target.”

Sead Fadilpašić

Sead is a freelance journalist with more than 15 years of experience in writing various types of content, from blogs, whitepapers, and reviews to ebooks, and many more, across sites including Al Jazeera Balkans, TechRadar Pro, IT Pro Portal, and CryptoNews.