Gmail accounts are used in 91% of all provocative email attacks


Tinder attacks are on the rise and it appears that actors distributing this special type of phishing emails prefer to use Gmail accounts to conduct their attacks.

According to a Barracuda report, which surveyed 10,500 organizations, 35% of them received at least one decoy attack email in September 2021 alone.

What is a Tinder Attack?

A “decoy attack” is a subclass of phishing in which threat actors attempt to gather basic information about a specific target and use it for more targeted and effective attacks in the future.

It’s a preparatory reconnaissance phase that rarely comes with payloads or links embedded in the body of the email.

While some of these emails contain a basic question or something that has a better chance of being answered, many don’t include any text.

Example of attack with lure without text
Example of attack with lure without text
Source: Barracuda

While it may be odd to send an almost blank email, threat actors use them for the following purposes:

  • Confirm that the recipient’s email address is valid
  • Confirm that the email address is actively used
  • Confirm the susceptibility of targets to unwanted emails
  • Test the effectiveness of automated spam detection solutions

Since these emails do not include links to phishing sites and do not contain attachments, they usually go through phishing defense systems as they are not considered harmful.

Why Gmail?

Barracuda’s statistics show that 91% of all these tinder emails are sent from newly created Gmail accounts, while all other email platforms account for only 9%.

This preference is due to the fact that Gmail is a very popular service that people associate with legitimacy and trustworthiness.

The same goes for email security solutions that treat Google’s email service as a highly reliable service.

Furthermore, Gmail is a platform that allows for the quick and easy creation of pseudonymous accounts without too much hassle.

Finally, Gmail supports the “read receipt” feature, which tells actors that the recipient has opened the message even if they never replied.

This covertly fulfills the purpose of the baiting attack, which is to confirm that the mailbox is valid and actively used.

Percentage of decoy messages from Gmail accounts
Percentage of decoy messages from Gmail accounts
Source: Barracuda

What if the bait is taken?

Barracuda decided to experiment by replying to these provocative emails, which shouldn’t start the phishing process.

Within 48 hours, the security company employee received a targeted phishing attack used after a fake Norton LifeLock purchase requisition.

Phishing email sent to the victim
Phishing email sent to the victim
Source: Barracuda

This quick response demonstrates the readiness of the actors and the close connection between these harmless-looking blank emails and full-fledged phishing attacks.

Remember, you don’t even need to respond to these emails to confirm they’re available for potential exploitation, so if you see one, delete it without opening it.

However, the response places the victim in a higher priority category for actors, as users who respond to decoy emails are typically more susceptible and easier to exploit.


Please enter your comment!
Please enter your name here