Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Gmail Accounts are Used in 91% of All Baiting Email Attacks

Gmail Accounts are Used in 91% of All Baiting Email Attacks

Bait attacks are on the rise, and it appears that actors who distribute this special kind of phishing emails prefer to use Gmail accounts to conduct their attacks.

According to a report by Barracuda, who surveyed 10,500 organizations, 35% of them received at least one bait attack email in September 2021 alone.

Also Read: PDPA Meaning: Know Its Big Advantages In Businesses

What is a baiting attack?

A “bait attack” is a sub-class of phishing where threat actors attempt to gather basic information about a specific target and use it for more targeted and effective attacks in the future.

It is a preparatory reconnaissance step that seldom comes with payloads or embedded links on the email body.

Although some of these emails contain a basic question or something that has higher chances of receiving a response, many don’t include any text at all.

Example bait attack without any text
Example bait attack without any text
Source: Barracuda

While it may be strange to send an almost empty email, the threat actors are using them with the following goals:

  • Confirm that the recipient’s email address is valid
  • Confirm that the email address is actively used
  • Confirm targets’ susceptibility to unsolicited emails
  • Test the effectiveness of automated spam-detection solutions

Since these emails don’t include any links to phishing sites and don’t carry any attachments, they usually pass through phishing defense systems as they are not seen as malicious.

Why Gmail?

Barracuda’s stats show that 91% of all these bait emails are sent from newly-created Gmail accounts, while all other email platforms account for just 9%.

Also Read: What Is PDPA And What Are The 5 Things You Should Know About

This preference is because Gmail is a very popular service that people associate with legitimacy and trustworthiness.

The same applies to email security solutions that treat Google’s email service as a highly reputable one.

Moreover, Gmail is a platform that allows the quick and easy creation of pseudonymous accounts without much fuss.

Finally, Gmail supports “read receipt” functionality, which tells the actors that the recipient opened the message even if they never replied.

This stealthily fulfills the purpose of the baiting attack, which is to confirm that the mailbox is valid and actively used.

Percentage of bait mails coming from Gmail accounts
Percentage of bait mails coming from Gmail accounts
Source: Barracuda

What if the bait is taken?

Barracuda decided to experiment by replying to these baiting emails, which aren’t supposed to initiate the phishing process.

Within 48 hours, the security firm employee received a targeted phishing attack used after a false Norton LifeLock purchase claim.

Phishing email sent to victim
Phishing email sent to victim
Source: Barracuda

This quick response demonstrates the readiness of the actors and the tight connection between these innocuous-looking empty emails and fully-fledged phishing attacks.

Remember, one doesn’t even have to reply to these emails to confirm that they are available for potential exploitation, so if you see one, delete it without opening it.

However, replying puts the victim in a higher priority category for the actors, as users who respond to bait emails are typically more susceptible and easier to exploit.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us