GUEST ESSAY: ‘Nag attacks’ — this new phishing variant takes full advantage of notification fatigue

By Audian Paxson

One must admire the ingenuity of cybercriminals.

Related: Thwarting email attacks

A new development in phishing is the “nag attack.” The fraudster commences the social engineering by irritating the targeted victim, and then follows up with an an offer to alleviate the annoyance.

The end game, of course, is to trick an intended victim into revealing sensitive information or it could be to install malicious code. This is how keyloggers and backdoors get implanted deep inside company networks, as well as how ransomware seeps in.

Spoofed alerts

A nag attack breaks the ice with a repeated message or push notice designed to irritate. The nag might be a spoofed multifactor authentication push or system error alert – a notification message that annoying repeats on a seemingly infinite loop.

The idea of this first part of the nag attack is to annoy the targeted victim. Most of us don’t like random messages out of nowhere, much less dozens of them.

The second part of the attack is the scam. If your smartphone or computer is displaying a faked alert, then this means the criminal can contact you directly on the same channel. Usually, they’ll claim to be from the IT department or perhaps from a software or service provider.

The con artist sympathetically confirms that the victim has been deluged  with notices and apologize profusely. Distracted, aggravated and eager to put a stop to it, the victim gratefully accepts the extended solution.


Usually this requires divulging login credentials and other details. Wham: the attackers gain unauthorized access — and a foothold to probe deeper into the breached network.

Human nature

Nag attacks add to the litany of phishing techniques. Over the years, endless phishing variants have emerged, including:

•Bulk phishing. This is when mass emails are sent out

•Spear phishing. The targeting of specific individuals or organizations.

•Whaling. Putting senior executives in the cross-hairs.

•Smishing. Lures sent via text message.

We can now add nag attacks, which take full advantage of human nature. Nag attacks are proving effective because no one likes to be nagged.

The attacker sets notification fatigue in motion and then adds credibility by sympathizing with the victim’s plight, while also being able to make references to details about the nuisance alerts.

Nag attacks are simplistically clever and most effective. Even employees in well-known organizations have fallen victim of the nag, including those at Microsoft, Cisco, and Uber.

Best defense

Large scale nag attacks that randomly targeting wide swaths of email addresses or phone numbers are referred to as spray attacks. Spray attacks are noisy and thus can be mitigated with detection and response software that leverage machine learning and automation.

However, nag attacks are intrinsically difficult to stop, especially attacks targeting individual employees. This is because phone numbers and email addresses are easy to obtain. Thus, targeting specific employees in certain organizations is straight forward. This limits the effectiveness of automated detection and response tools.

The most effective defense is alert, well-trained employees. Cybersecurity training needs to be timely and relevant. This can include simulations to raise awareness and train people so when they see unprompted, persistent and annoying messages, they’ll know the real reason for the harassment.

Messages with even a hint of suspiciousness in every instance need to be validated. This needs to become engrained workplace behavior.

About the essayist. Audian Paxson is Director of Technical Product Marketing at  Ironscales, an Atlanta-based email security company.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone