The What, Why & How of Baiting Attacks

Social engineering, which refers to the careful manipulation of human behavior, has become the basis for the majority of cyber attacks these days. In fact, according to an article by GCA Cybersecurity Toolkit, 98% of all cyber attacks rely on social engineering. 

There are several different types of social engineering attacks wielded by cybercriminals to scam organizations out of money and sensitive data. Baiting attacks are listed amongst the most popular and effective social engineering tactics used all across the world.

What Does Baiting Mean?

Extremely similar to phishing in many ways, baiting is a simple yet effective type of social engineering attack. In baiting attacks, malicious actors exploit a target’s fear, temptation or greed by offering them something enticing to trick them into giving up their sensitive personal data such as login credentials. The “bait” used in such attacks can take both digital forms, like free movie downloads on a site, and physical form, like a flash drive labeled “Employee Bonus List for 2021”.

What’s the Psychology Behind Baiting Attacks?

As mentioned before, baiting attacks completely rely on manipulating human psychology in such a way that a target is tricked into taking potentially harmful action. Often depending on the greed or curiosity of the victim, these attacks often aim to steal the sensitive information required to infiltrate the network of a company. 

How is Baiting Done?

Baiting attacks prey on human emotions and weaknesses like fear, curiosity, anxiety, trust, and greed. Whether carried out in the online world or the physical world, both of its forms can prove to be highly damaging to individuals and organizations alike. Let’s talk about the two most common baiting techniques used by cybercriminals globally. 

Baiting Attacks Through Physical Devices

In numerous cases, baiting attacks use physical devices like USB drives or CDs to disperse malware. In such attacks, cybercriminals leave malware-laden USB drives or other infected physical media in public areas like the reception, restrooms, desks, or corridors of the targeted organization. 

The planted devices are often branded with personalized stickers or corporate logos to give them a trustworthy appearance. More often than not, one or more curious employees pick up the infected device and install it on their system, ensuring the success of the attack.

Malicious actors usually fill the planted devices with files and folders named carefully in a way that makes the victims want to open them. These files can be named something suggestive or enticing like “Salary Information – CONFIDENTIAL”, tempting employees to sneak a peek. Once a malicious file is downloaded into an employee’s system, it can spread laterally through the internal network, leading to devastating data breaches and cyber attacks. 

Baiting Attacks Through Digital Form

Just like with physical devices, cybercriminals can also use a digital form of the “bait” to launch baiting attacks. The central idea remains the same- preying on the curiosity, trust, and greed of the victims. For instance, cybercriminals can create a malicious site that features an enticing download link that would allow you to download all the latest releases for ‘FREE’. 

Now, who wouldn’t be tempted by an opportunity like that? 

Many users often click on these kinds of malicious links, endangering their own security and their company.

Real-Life Examples of Baiting 

In 2018, KerbsOnSecurity reported that many U.S. state and local government agencies received strange letters via snail mail that included malware-infected compact discs (CDs) seemingly sent from China. There’s no evidence that anyone at the targeted agencies was successfully tricked into actually installing the CD into a government computer. 

An article from The Register mentioned a study conducted by researchers from Google, the University of Michigan, and the University of Illinois Urbana-Champaign. Under this study, researchers spread 297 USB drives all across the Urbana-Champaign campus. 48% of the planted drives were picked up and installed into a computer. In addition, only 16% of the users bothered to scan these drives for antivirus before loading the files. 

What to do When Someone is Baiting You?

The majority of cybercriminals hold expertise in playing with human emotions. Whenever you receive an email that creates feelings of urgency, fear, greed, temptation, or curiosity, just stop. Think carefully before taking any action. Awareness and vigilance are the only defense against baiting attacks and other forms of social engineering. 

Whether you come across a too-good-to-be-true pop-up advertisement or detect a flashy new USB drive just sitting there on your desk, think twice before doing anything that can have any adverse consequences. Also, keep your system’s antimalware and antivirus security settings updated at all times so any cyber threats are flagged down immediately. 

How to Help Your Employees Avoid Baiting Attacks?

The most effective way of protecting your employees and your organization against baiting attacks is to provide all employees with security awareness training. Through this training, you can educate and inform your employees about the prevalent and emerging cyber risks out there. They can learn to detect social engineering attempts and the best way of addressing them. 

With a good cyber attack simulator and security awareness training tool like TSAT, you can provide your employees with hands-on experience in dealing with a variety of cyber attacks. Once your employees understand the risks of opening unsolicited attachments and links, they will always be vigilant and suspicious of baiting. In addition to making them cyber aware, enforcing a security awareness training program can also help in boosting your workplace’s cyber hygiene. 

So, now that you know how cybercriminals can manipulate your employees into causing a data breach, maybe it’s time to take every measure you can to prevent that from happening. Your organization’s security rests on the shoulders of each and every employee. You should do your best to prepare them for such a huge responsibility.