Commentary From Crisis Management Expert Edward Segal, Author of Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals and other Emergencies

Cyber thieves are using new strategies, tactics and techniques to help increase the chances of success of their 
phishing attacks against companies and organizations. Making matters worse for business leaders, ransomware attacks are on the rise as is the amount of money that is being demanded.

That's according to a new report from IT security company Barracuda Networks, which warned that, "As attackers work to make their phishing attacks more targeted and effective, they've started researching potential victims, working to collect information that will help them improve the odds that their attacks will succeed."

Baiting Techniques

Barracuda Networks explained that, "Bait attacks are one technique attackers are using to test out email addresses and see who's willing to respond," and then use that information to plan future targeted attacks. 

"Also known as reconnaissance attacks, these efforts are usually emails with very short or even empty content. The goal is to either verify the existence of the victim's email account by not receiving any 'undeliverable' emails or to get the victim involved in a conversation that would potentially lead to malicious money transfers or leaked credentials," the company said.

Hard To Defend Against

According to Barracuda Networks, "Because this class of threats barely contains any text and does not include any phishing links or malicious attachments, it is hard for conventional phishing detectors to defend against these attacks." 

The company noted that, "to avoid being detected, the attackers typically use fresh email accounts from free services, such as Gmail, Yahoo, or Hotmail, to send the attacks. Attackers also rely on a low volume, non-burst sending behavior in an attempt to get past any bulk or anomaly-based detectors."

Survey Results

Other major findings of the survey include: 

A Third Of Surveyed Companies Attacked

  • 35% of the 10,500 organizations analyzed were targeted by at least one phishing attack in September 2021. On average, three mailboxes at each company received one of the fake messages.  

More Ransomware Attacks

  • Attacks on corporations, such as infrastructure, travel, financial services, and other businesses, made up 57% of all ransomware attacks between August 2020 and July 2021, up from just 18% in their 2020 study.  

Higher Ransom Amounts

  • The ransom amount is increasing dramatically. The average ransom ask per incident is over $10 million.  

Parallel Attacks

  • The volume of cryptocurrency-related attacks closely follows the growing price of bitcoin. The price of bitcoin increased by almost 400% between October 2020 and April 2021, and impersonation attacks grew 192% in the same period of time. 

Barracuda Networks recommended that companies and organizations take the following steps:

Deploy AI To Identify And Block Phishing Attacks  

Traditional filtering technology is largely helpless when it comes to blocking bait attacks. The messages carry no malicious payload and usually come from Gmail, which is considered highly reputable. AI-based defense is a lot more effective. It exploits data extracted from multiple sources including communication graphs, reputation systems, and network-level analysis to be able to protect against such attacks. 

Train Users  

Some of these attacks may still land in users' inboxes, so train users to recognize these attacks and not reply. Include examples of bait attacks in your security awareness training and simulation campaigns. Encourage users to report these to your IT and security teams.  

Quickly Move Bait Attacks From Inboxes 

When bait attacks are identified, it's important to remove them from users' inboxes as quickly as possible before they open or reply to the message. Automated incident response can help identify and remediate these messages in minutes, preventing further spread of the attack and helping to avoid making your organization a future target.