According to a report from Barracuda, 35% of organizations were targeted and had an average of three employee email accounts impacted by bait attacks; also, 91% of all bait attacks were conducted over Gmail.
Bait attacks (also known as reconnaissance attacks) are a class of threats utilized by malicious actors looking to gather information from potential victims. The goal of bait attacks is to confirm the existence of a victim’s email account, if the message is not returned as undeliverable, or to engage in a conversation with the intent to collect information for future attacks. The initial messages are often very short or completely empty. Because these emails have very little content and are often sent from reputable email services, it is difficult for conventional phishing detectors to defend against them.
If the past year has shown us anything, it’s that anyone is susceptible to bait attacks, just as they are to other email threats. In a previous report, Barracuda found that the average organization is targeted through 700 or more social engineering attacks each year. These kinds of attacks are only becoming more targeted and personalized, making them increasingly difficult to detect.
To defend against these kinds of attacks, security teams should implement AI detection methods. They should also train their users to recognize and report bait attacks to their IT and security teams, displaying real examples in security awareness training and attack-simulation campaigns to better prepare employees to identify and respond appropriately.
Most importantly, security teams should not let bait attacks sit inside users’ inboxes. Once a bait attack is identified, it is critical to remove it immediately, before the message can be opened or given a response. This will help to prevent any further activity from the threat and lessen the odds of becoming a target.
Researchers from Barracuda analyzed bait attack patterns in September 2021 from 10,500 organizations.
Read the full report by Barracuda.