A new report by Barracuda was recently published. It revealed that the vast majority of baiting email attacks conducted this year were done via G-mail accounts.
The firm surveyed 10,500 different organizations and found that more than a third (35 percent) of them received at least one bait attack email in September 2021 alone.
That's disturbing but perhaps it would be of benefit to back up a step. The term "Bait Attack" signifies a sub-class of phishing where hackers and scammers attempt to glean basic information about a particular person or organization. They then use that information for a more targeted attack in the future.
Essentially it's a simple attack where if it is successful it will lead to a more complex attack in the future. That would be an attack that's more likely to succeed given the earlier success.
Of significance is that these emails don't contain links that point to the outside world. They don't have attachments so there's nothing in the email that would raise any red flags. These messages sail right through even the most robust security systems because they're not harmful in any way. In fact sometimes they don't contain any text in the body at all.
The goal here is to illicit a response. So if there is text it will likely be simple, clear, and to the point. It could perhaps be even as simple as "Please confirm that this is indeed your email address."
If the recipient responds the sender learns a number of important details. These details include the fact that the email account is correct and active, that the recipient is at least somewhat likely to open unsolicited emails from unknown senders, and that the company's spam filter didn't block the email that was sent. From the perspective of a hacker that's a treasure trove of information.
As to why they have a preference for Gmail over other email providers that ultimately comes down to legitimacy. Google is a respected name. Hackers can leverage that respectability by using a Gmail account and often fly under the radar.
There's nothing specific to be done with this information beyond warning your employees to stay vigilant and resist the temptation to respond to unsolicited emails from unknown senders.