Press "Enter" to skip to content


Last updated on February 7, 2023

Understanding Baiting and How to Avoid It

“Congratulations! You are the lucky winner of…”

“Yay! We have a free gift for you; download it now.”

We’ve all seen these types of online schemes, and most of us don’t engage with them. That’s good because this is a classic example of baiting, a type of social engineering attack that can compromise your personal or organizational cybersecurity.

What Is Baiting in Social Engineering?

As mentioned above, baiting is a kind of attack where a social engineer will use a false promise or reward to trap victims and steal their sensitive information by infecting their systems with malware. Baits are very attractive and enticing, not to mention manipulative, and their end goal is to infect your system and gain access to personal information.

Attackers who practice baiting use physical devices and enticing offers that appeal to people’s curiosity or need to trap them and get what they want from their victims. In many ways, baiting is similar to phishing attacks, but overall, it’s different from most social engineering attacks. Why? Because these attacks offer something free that’s relevant to the target.

Who is most likely to be targeted by baiting?

Anyone can be a target of baiting, but there are certain groups of people who are more likely to be targeted than others. These include people who are curious by nature, those who are easily gullible, and those who are looking for a quick fix or easy solution. Children and teenagers are also often targeted by baiting attacks, as they are more likely to take the bait without thinking about the consequences.

Most Common Baiting Techniques: Exploiting Human Curiosity

There are many different types of baiting techniques, but they all share the same goal: to exploit the victim‘s trust and curiosity in order to gain access to their systems or data.

Tempting Offers

One of the most common baiting techniques is what we just explained above. You will receive tempting offers, whether that’s via ads, email, or social media, of downloadable content that’s free. They will offer users free music, movie downloads, a free digital audio player, or any other downloadable content.

Malware-Infected Devices

The second most common baiting technique is using malware-infected flash drives or USB drives. Once targeted employees insert these devices into company computers, malware will be automatically installed on their system and infect the company’s network.

Attackers will leave these infected devices in conspicuous areas, such as the company lobby, where targeted employees can see them and insert them into company computers to spread malicious code. It’s also not uncommon for infected flash or USB drives to be delivered directly to the target under false pretenses.

They can also send innocent-looking devices to employees as a reward placed in gift baskets. Additionally, they can practice strategic placement and use intriguing labels to temp employees. Attackers can also pretend to be from technical support and instruct employees to insert tainted devices into their work computers.

Hackers Target U.S Firms with Malicious USB Flash Drives

In 2022, the FBI warned U.S. organizations of a new social engineering attack coming from the notorious cybercriminal group FIN7. According to reports, the group used malicious USB flash drives to deliver ransomware and launch BadUSB attacks against the U.S. defense sector. FIN7 sent several malicious USB sticks through two packages. The first imitating the US Department of Health and Human Services and referencing COVID-19 guidelines. The second attempted to imitate an Amazon gift box with a fake gift card and a USB.

Techniques to Prevent Baiting on Network-Connected Computers

The most effective defense against baiting is education and awareness. That’s why it’s essential to prepare employees, so teach them to identify different kinds of attacks and provide instructions. They can also create policies prohibiting employees from accepting gifts from strangers or clicking on links from unknown sources. This is very important for company security.

You can also prevent baiting by being wary of tempting offers and not plugging unknown devices into your computer. If something looks or sounds too good to be true, it probably is. Search on Google before you take the bait.

Additionally, you should disable autorun on your computer, which is the feature that automatically runs programs on devices you’ve inserted into your drive, even if they’re secure.

Do these things, and you will develop a strong security culture!

Be First to Comment

    Leave a Reply