Press "Enter" to skip to content


Understanding Baiting and How to Avoid It

“Congratulations! You are the lucky winner of…”

“Yay! We have a free gift for you, download it now.”

We’ve all seen these types of online schemes and most of us don’t engage with them. That’s good because this is a classic example of baiting, a type of social engineering attack that can compromise your personal or organizational cybersecurity.

What Is Baiting in Social Engineering?

As mentioned above, baiting is a kind of attack where a social engineer will use a false promise or reward to trap victims and steal their sensitive information by infecting their system with malware. Baits are very attractive and enticing, not to mention manipulative, and their end goal is to infect your system and gain access to personal information.

Attackers who practice baiting use physical devices and enticing offers that appeal to people’s curiosity or needs to trap them and get what they want from their victims. In many ways, baiting is similar to phishing attacks, but overall, it’s different from most social engineering attacks. Why? Because these attacks offer something free that’s relevant to the target.

Most Common Baiting Techniques: Exploiting Human Curiosity

Tempting Offers

One of the most common baiting techniques is what we just explained above. You will receive tempting offers, whether that’s via ads, email, or social media, of downloadable content that’s free. They will offer users free music, movie downloads, a free digital audio player, or any other downloadable content.

Malware-Infected Devices

The second most common baiting technique is using malware-infected flash drives or USB drives. Once targeted employees insert these devices into company computers, malware will be automatically installed on their system and infect the company’s network.

Attackers will leave these infected devices in conspicuous areas, such as the company lobby, where targeted employees can see them and insert them into company computers to spread malicious code. It’s also not uncommon for infected flash or USB drives to be delivered directly to the target under false pretenses.

They can also send innocent-looking devices to employees as a reward placed in gift baskets. Additionally, they can practice strategic placement and use intriguing labels to temp employees. Attackers can also pretend to be from technical support and instruct employees to insert tainted devices into their work computers.

Techniques to Prevent Baiting on Network Connected Computers

The most effective defense against baiting is education and awareness. That’s why it’s essential to prepare employees, so teach them to identify different kinds of attacks and provide instructions. This is very important for company security.

You can also prevent baiting by being wary of tempting offers and not plugging unknown devices into your computer. If something looks or sounds too good to be true, it probably is. Search on Google before you take the bait.

Additionally, you should disable autorun on your computer, which is the feature that automatically runs programs on devices you’ve inserted into your drive even if they’re secure.

Do these things and you will develop a strong security culture!

Be First to Comment

    Leave a Reply

    Join 10.000+ professionals for weekly updates on how to protect your own and your organization's privacy.

    We use a third-party provider, Sendinblue, to deliver our newsletter. We will never share or sell your email to any other parties, and you can easily unsubscribe at any time in the "unsubscribe" link at the bottom of every email.