Phishing scammers are getting a bit more resourceful when it comes to planning attacks, claims a report from cybersecurity provider, Barracuda.
Some attackers are now orchestrating preliminary, low-threat attacks first, to try and check how responsive the victim is likely to be to a full phishing attempt.
These first emails, dubbed ‘bait attacks', are largely being generated by scammers using the Gmail platform.
What are Bait Attacks?
The research by Barracuda into these bait attacks has shown that they start with a fairly innocuous email that serves two functions – firstly, it can slip through the email defences undetected, and secondly, it acts to verify that the email is in use, and the victim is likely to respond.
In it's example. Barracuda received a bait email with the subject heading ‘Hi', and no other content. The research firm replied to the email with ‘Hi, how may I help you?', and within 48 hours received a scam demand purporting to be from Norton LifeLock, demanding payment of $400.
While traditional phishing emails carry many red flags that lets systems catch them early, from suspicious links and poor grammar to potentially compromised email addresses, these bait emails not only seem innocent, but by engaging the victim, also mean that the respondent is now expecting and awaiting to hear back. A receptive and captive audience is payday for a phishing scammer.
Example of a bait email from Barracuda
Where are Bait Attacks Coming From?
According to the research, around 35% of the 10,500 organizations that it analyzed had received at least one bait attack in September 2021.
The method for bait attacking varies slightly from the approach that phishing scams usually take, which tend to be high volume, peppering inboxes with emails in the hope that a small minority will fall for the scam. With bait attacks however, Barracuda found that attackers adopted a low volume approach, and avoided sending emails in bursts. presumably to try and bypass bulk or anomaly-based detectors.
In order to send out these emails, scammers are relying on free email services. This isn't just because they won't cost the scammer anything, they are also a quick and easy way to set up new email accounts, and have the benefit of a fresh email address that won't have already been blacklisted.
The most popular free email service of choice appears to be Gmail, with 91% of the bait emails that Barracuda identified coming from the platform. Others, such as Hotmail and Yahoo, made up the remaining 9%.
Gmail itself was in the headlines last month, with the news that it had identified and blocked 1.6 million phishing emails involved in a cryptocurrency scam.
How to Avoid Bait Attacks
This phishing scam may be slightly more sophisticated than we're used to seeing, but that doesn't mean that it's entirely unavoidable. The way that the first email is sent without any detectable threat means that it may slip through traditional anti-virus software and email security, but there are steps that you can take to mitigate the risk.
Vigilance – Knowing the signs of a bait attack is the first step in not falling victim to one. It's important that you know what a bait attack looks like, and even more important that you don't respond to emails with limited information, or a simple subject line, as this could open up the floodgates.
Remove bait emails – If you do spot a bait email, it's important that your IT department are alerted of the threat immediately so that they are aware and can remove it, as well as be on the look out for further attacks.
Blacklist the email address – While this scam tends to use new email accounts, it's still a good idea to blacklist the sender, should they attempt to send further emails to your organization.
While anti-virus software is unlikely to catch a bait email, it should catch the follow up phishing email, thanks to all the usual hallmarks, such as a suspicious link. Anti-virus software is a valuable tool when weeding out phishing emails, and should be employed alongside good old fashioned common sense to help reduce the risk from phishing scams.