Social engineering methods are implicated in a staggering 50 to 90 percent of all cybersecurity incidents – highlighting its predominant role in the landscape of digital threats. In this article, we are looking at a technique referred to as baiting. By the end, you’ll know what baiting attacks are and how you can defend yourself against them.
What Are Baiting Attacks?
Baiting cyber attacks quite literally use bait to lure a victim into a trap. Hackers do this in an attempt to steal your login credentials, distribute malware, or achieve some other nefarious goal.
Just like all other social engineering techniques, baiting relies on psychological manipulation. More specifically, it exploits human curiosity by making false promises.
Cybercriminals are fond of baiting attacks because they don’t require the same advanced technical skills to pull off as, for example, zero-day attacks, which exploit unpatched software vulnerabilities.
Need IT services for your small business? Discover what industries Teal serves.
Examples of Baiting Attacks
To better illustrate what baiting attacks are and how they are used to gain access to protected resources and otherwise breach organizations’ defenses, let’s take a look at several real-world examples that show the broad spectrum of baits you may encounter.
Tempting Offers
We all love getting stuff for free, and cybercriminals know it. That’s why many successful baiting attacks start with emails offering everything from free downloadable content to discount coupons to free iPhones.
Typically, the victim is asked to enter their personal information or create a user account to claim the free offer. The attacker then uses the collected information to execute targeted phishing attacks or access other user accounts.
Online Downloads
There are many websites that offer paid music, movies, games, and software for free. Not only are such websites illegal, but they often exist solely to distribute malware.
Some strains of malware allow cybercriminals to remotely control malware-infected devices. They can then use them to perform distributed denial-of-service attacks (DDoS attacks). While others might encrypt stored data and demand a ransom for its decryption.
Malware-infected Devices
Baiting attacks sometimes involve malware-infected physical media, such as USB flash drives and external hard drives.
Cybercriminals can deliver these little Trojan horses in person, leave them in common areas, or send them via snail mail. When a victim connects the infected device to their computer, the machine immediately becomes infected. This allows the malware to spread to other network-connected computers.
Baiting Attack in Action
As you can see, baiting attacks can trick users in a variety of different ways. There are many documented cyber incidents in which baiting played a central role.
One particularly alarming baiting attack happened in 2018. It involved malware-infected CDs sent from China to several U.S. state and local government agencies. The CDs contained Mandarin language Microsoft Word (.doc) files with malicious Visual Basic scripts.
Fortunately, all recipients were cautious enough to avoid taking the bait. But not all baits are as obvious as CDs sent from China. So, it’s important for organizations to take this cyber threat seriously. This starts by giving their staff the info they need to avoid these types of attacks.Â
Baiting vs Phishing
Both baiting and phishing are social engineering techniques. The difference between them is this:
- Baiting primarily exploits human curiosity.
- Phishing attacks rely largely on trust, fear, and a sense of urgency.
A cybercriminal tasked with obtaining an employee’s login information using baiting might start by creating a fake lottery website. Then, they’d ask the employee to sign in to claim their price.
A phisher, on the other hand, might pretend to be employed as the organization’s IT support specialist. Then, they’d ask the victim to reset their password for security reasons – providing them with a link to a fake password reset page.
Baiting vs Quid Pro Quo Attacks
A quid pro quo attack, sometimes referred to as a something-for-something attack, involves an attacker pretending to be, for example, a support service provider.
The victim is asked to provide access to their computer, mobile device, or network to fix some kind of a technical issue. Of course, there’s no issue to fix, and the attacker uses the obtained access for malicious purposes.
How to Avoid Baiting Attacks
When baiting attacks succeed, they do so because of weak security protocols and/or insufficient cybersecurity awareness.
The good news is that organizations of all sizes can easily implement multiple security practices to significantly decrease the chance of employees taking the bait and revealing sensitive information.
These are the practices you should know:
Employee Education
Employees that don’t expect to find themselves on the receiving end of a baiting attack are much more likely to fall for it than those who understand what baiting attacks are and how they work. Employees need to understand that offers that sound too good to be true are usually just that, so they must be avoided and reported.
To be as effective as possible, cybersecurity awareness training sessions should be performed on a regular basis and include plenty of real-world examples that leave no doubt that baiting attacks are not fictitious threats.
Baiting Simulations
It’s easy for employees who are busy with their day-to-day work responsibilities to break security practices and put the entire organization at risk. To accurately assess their level of cybersecurity awareness and remind them of the threats they face, it’s a good idea to occasionally run baiting simulations.
When researchers from Google, the University of Michigan, and the University of Illinois Urbana-Champaign did just that in 2016 by spreading 297 USB flash drives all across the Urbana-Champaign campus, they discovered that almost half of the drives were picked up and installed into a computer.
Security Tools
Even though baiting attacks target the weakest link in the cybersecurity chain—people—the right security tools can make it much easier for organizations to protect their employees against them.
A reliable antivirus software solution can stock baiting attacks that distribute malware-infected files, and features like Microsoft’s Safe Links or Safe Attachments, which are part of Microsoft Defender for Office 365, provide an additional layer of protection for email attachments and outbound links.
If your organization regularly struggles with finding the money or expertise you need to maintain an effective cybersecurity program, you may want to consider partnering with a sophisticated managed IT service provider who can provide you with affordable, enterprise-level security.Â
Prevent Baiting Attacks with Education 
Baiting in cybersecurity is a severe threat that uses psychological manipulation to circumvent security defenses. As with other social engineering attacks, the success rate of baiting attacks drops when organizations conduct regular cybersecurity awareness training sessions.   
Prevent damage from baiting attacks by teaching employees how to detect and respond to them with an engaging cybersecurity awareness training program.
Create an Engaging Cybersecurity Awareness Training Program 
This comprehensive guide will show you the best ways to make your cybersecurity awareness training program engaging and successful. It covers:
- The top reasons why your small business needs to have a cybersecurity awareness training program. 
- What you need to know about cybersecurity awareness training programs. 
- The importance of engagement in cybersecurity awareness training. 
- 6 ways to make your cybersecurity awareness training more engaging. 
- and more!
Learn how to implement an engaging and successful cybersecurity awareness training program.
