Social engineering is responsible for anywhere from approximately 50 to 90 percent of all cybersecurity incidents, depending on which research report you read.
By definition, social engineering attacks use psychological manipulation to trick users into doing something that’s against their best interest, and they rely on a growing range of techniques.
In this article, we focus on a social engineering attack technique referred to as baiting, explaining what baiting attacks are and providing practical advice to help you defend yourself against them.
Baiting attacks are social engineering attacks that use bait to lure a victim into a trap in order to steal login credentials, distribute malware, or achieve some other nefarious goal.
Just like all other social engineering techniques, baiting relies on psychological manipulation. More specifically, it exploits human curiosity by making false promises.
Cybercriminals are fond of baiting attacks because they don’t require the same advanced technical skills to pull off as, for example, zero-day attacks, which exploit unpatched software vulnerabilities.
To better illustrate what baiting attacks are and how they are used to gain access to protected resources and otherwise breach organizations’ defenses, let’s take a look at several real-world examples that show the broad spectrum of baits you may encounter.
- Tempting offers: We all love getting stuff for free, and cybercriminals know it. That’s why many successful baiting attacks start with emails offering everything from free downloadable content to discount coupons to free iPhones. Typically, the victim is asked to enter their personal information or create a user account to claim the free offer. The attacker then uses the collected information to execute targeted phishing attacks or access other user accounts.
- Online downloads: There are many websites that offer paid music, movies, games, and software for free. Not only are such websites illegal, but they often exist solely to distribute malware. Some strains of malware allow cybercriminals to remotely control malware-infected devices and use them to perform distributed denial-of-service attacks (DDoS attacks), while others can, for example, encrypt stored data and demand a ransom for its decryption.
- Malware-infected devices: Baiting attacks sometimes involve malware-infected physical media, such as USB flash drives and external hard drives. Cybercriminals can deliver these little Trojan horses in person, leave them in common areas, or send them via snailmail. When a victim connects the infected device to their computer, the machine immediately becomes infected, and the malware can then spread to other network-connected computers.
As you can see, baiting attacks can trick users in a variety of different ways, and there are many documented cyber incidents in which baiting played a central role.
One particularly alarming baiting attack happened in 2018, and it involved malware-infected CDs sent from China to several U.S. state and local government agencies. The CDs contained Mandarin language Microsoft Word (.doc) files with malicious Visual Basic scripts.
Fortunately, all recipients were cautious enough to avoid taking the bait, but not all baits are as obvious as CDs sent from China, so it’s important for organizations to take this cyber threat seriously and equip their employees with the knowledge they need to avoid them.
Both baiting and phishing are social engineering techniques. The difference between them is that baiting primarily exploits human curiosity, whereas phishing attacks rely largely on trust, fear, and a sense of urgency.
A cybercriminal tasked with obtaining an employee’s login information using baiting, they might create a fake lottery website ask as the employee to sign in to claim their price.
A phisher, on the other hand, might pretend to be employed as the organization’s IT support specialist and ask the victim to reset their password for security reasons, providing them with a link to a fake password reset page.
A quid pro quo attack, sometimes referred to as a something-for-something attack, involves an attacker pretending to be, for example, a support service provider.
The victim is asked to provide access to their computer, mobile device, or network to fix some kind of a technical issue. Of course, there’s no issue to fix, and the attacker uses the obtained access for malicious purposes.
Baiting attacks succeed, they succeed because of weak security protocols and/or insufficient cybersecurity awareness.
The good news is that organizations of all sizes can easily implement multiple security practices to significantly decrease the chance of employees taking the bait and revealing sensitive information. Here are those you should know about:
Employees that don’t expect to find themselves on the receiving end of a baiting attack are much more likely to fall for it than those who understand what baiting attacks are and how they work. Employees need to understand that offers that sound too good to be true are usually just that, so they must be avoided and reported.
To be as effective as possible, cybersecurity awareness training sessions should be performed on a regular basis and include plenty of real-world examples that leave no doubt that baiting attacks are not fictitious threats.
It’s easy for employees who are busy with their day-to-day work responsibilities to break security practices and put the entire organization at risk. To accurately assess their level of cybersecurity awareness and remind them of the threats they face, it’s a good idea to occasionally run baiting simulations.
When researchers from Google, the University of Michigan, and the University of Illinois Urbana-Champaign did just that in 2016 by spreading 297 USB flash drives all across the Urbana-Champaign campus, they discovered that almost half of the drives were picked up and installed into a computer.
Even though baiting attacks target the weakest link in the cybersecurity chain—people—the right security tools can make it much easier for organizations to protect their employees against them.
A reliable antivirus software solution can stock baiting attacks that distribute malware-infected files, and features like Microsoft’s Safe Links or Safe Attachments, which are part of Microsoft Defender for Office 365, provide an additional layer of protection for email attachments and outbound links.
Baiting in cybersecurity is a serious threat that uses psychological manipulation to circumvent security defenses. Just like with all other social engineering attacks, the success rate of baiting attacks goes down dramatically when organizations conduct regular cybersecurity awareness training sessions to teach employees how to detect and respond to them.