What is a baiting attack, and how to prevent it?

We all like discounts, free stuff, and special offers that are too good to refuse. Unfortunately, criminals know that too.

These human traits are indeed what a baiting attack is built on. That is why getting trapped in a well-set criminal’s bait is simple.

Learn how to recognize the tricks scammers use. Protect yourself (and your employees) from becoming prey in a baiting attack.

What is a baiting attack ?

As the name suggests, a baiting attack involves luring a victim into a trap by promising an attractive, hard-to-refuse offer. In other words, baiting can be regarded as a modern version of ‘Trojan Horse’ or a mousetrap.

To give the most basic example – the victim gets to download a free film, e-book, or a song for free ( “Why to pay if I found one for free?”).

Yet, the file contains malware.

Another example – the victim gives away his email and password to participate in an online contest. The prize is worth $1000, the victim types in credentials on a random website ( “The winning chances are high – I should give it a try”).

However, the contest does not exist; the perpetrators use the retrieved credentials to access critical accounts.

How does it work?

Baiting is a type of social engineering. Similar to other attacks, baiting exploits human psychology. The main goal is to retrieve confidential information or access an internal network of an organization.

Every human being has some level of curiosity, fear, and greed influencing his decisions and behavior. That is just how human nature works. And that is what criminals who set up baiting attacks exploit.

Although it is unlikely humans will change their nature anytime soon, we can learn to protect ourselves.

Baiting attacks happen in the physical world too

Baiting attacks are not necessarily limited to the online world.

One of the most common physical baits is flash drives that contain malicious code. The device labeled Confidential, HR – 2022 Forecast, Salary Info, or another intriguing name is “accidentally” left in common office areas.

Google, the University of Illinois Urbana-Champaign, and the University of Michigan conducted a simulation study to see how many people would pick up such a device. The USB sticks with tracking code (not malicious) were left on the ground at random corners of a parking lot.

The results were eye-opening – every second person would plug in an unknown USB stick to their PCs. And only 16% of people would bother to scan the device with antivirus software.

Rhetorically asking, how many people do you think would plug in a randomly found memory stick in a legitimate and trusted – workplace – environment?

How to prevent a successful baiting attack ?

The most effective prevention method against a baiting attack is education.

Don’t expect employees to be aware of such scams on their own. Apart from theoretical knowledge – what it is and how to recognize it – conduct training:

• teach employees to look skeptically to any too-good offer – if offer seems to good to be true – it is;
• create an open and safe environment for questions – encourage employees to ask (if in doubt) before providing any personal information;
• make sure that each person within an organization uses antivirus and antimalware software in their computers;
• set up proper network security measures to stop incidents before they happen

It can also be recommended to conduct a simulation – place some USB devices around the office that contain tracking but not malicious code to evaluate the team progress.

Healthy skepticism and awareness are the traits that can prevent a baiting attack from happening ever again. Make use of it.