We’ve talked before about spear-phishing, which is a targeted method of trying to scam and phish employees at a business by using terms and names that they recognize. But how do the scammers even know that an employee’s email address is even valid? They may send a blank (or single-character message) to an email address. They do this for two reasons:

1. To see if the email address is valid by watching out for kicked-back bounce messages.
2. To see if anybody replies to the messages. They know if somebody responds to the messages that they’re not only a valid email, but they’re more susceptible to this kind of scam.

Either way, the outcome is the same: The hacker now knows they have a valid email address to target.

Researchers at Agari describe this attack chain (this this is part of) as basically the following steps:

1. Target Generation
2. Lead Validation and Processing
3. Pre-attack Testing
4. Business Email Compromise (BEC) attack

You can read more on Argari’s blog post on the technical details of this type of attack, but here’s the long and short of it: If you get a blank email (that isn’t caught by your spam filter) or an email with just a single character in the subject line, just delete it and move on, or call/chat the person who supposedly sent it to you to make sure it’s valid.