We’ve talked before about spear-phishing, which is a targeted method of trying to scam and phish employees at a business by using terms and names that they recognize. But how do the scammers even know that an employee’s email address is even valid? They may send a blank (or single-character message) to an email address. They do this for two reasons:
- To see if the email address is valid by watching out for kicked-back bounce messages.
- To see if anybody replies to the messages. They know if somebody responds to the messages that they’re not only a valid email, but they’re more susceptible to this kind of scam.
Either way, the outcome is the same: The hacker now knows they have a valid email address to target.
Researchers at Agari describe this attack chain (this this is part of) as basically the following steps:
- Target Generation
- Lead Validation and Processing
- Pre-attack Testing
- Business Email Compromise (BEC) attack
You can read more on Argari’s blog post on the technical details of this type of attack, but here’s the long and short of it: If you get a blank email (that isn’t caught by your spam filter) or an email with just a single character in the subject line, just delete it and move on, or call/chat the person who supposedly sent it to you to make sure it’s valid.