Social engineering is a typical attack vector in today’s cyber threat catalogue, and baiting is one of the most common types of attacks. If you’ve ever had an email address, you’ve likely encountered an email that offers cash prizes or rewards for contests you never entered. These messages make promises of the latest smartphone or heavy discounts on popular software accompanied with a link where you can put in your information to claim your prize, only for the link to install malware or collect your information.
This is called baiting, and it’s a type of cyber threat that can be difficult to spot unless you know what to look for. In this article, EasyDMARC covers what baiting in cybersecurity looks like, how to detect it, and how you can stop it before it causes damage.
What is Baiting in Cybersecurity?
Unlike other types of social engineering, baiting promises an item, commodity, or reward to attract victims, infect their systems with malware, and steal sensitive information.
This social engineering technique relies on manipulation, usually offering tempting offers to prompt quick clicks before the victim has time to think about what this message is or where it came from.
Baiting attacks have been around for centuries, but largely live in the digital realm today. The most standard attack route is email, where baiting is so common that the standard spam folder is almost exclusively these types of messages. The most famous of the early baiting attacks via email was the Nigerian Prince scam, a type of advance-fee scam which offered a fortune in exchange for bank account information. Estimates from the FBI put the total amount of monetary damage from this scam in the billions.
Besides email, one of the most common attack methods is via storage media like flash drives. Attackers will leave these devices in a public space where a curious passerby will pick them up. Once they plug it into their device, software on the drive goes to work, extracting and sending sensitive data to the attacker. In a controlled experiment, the University of Michigan, the University of Illinois, and Google found that 45% to 98% of people plug in USB drives they find lying around in public.
Baiting Attack Techniques
Baiting feeds on human curiosity, and cybercriminals usually entice their victims in two major ways: tempting offers and alluring ‘discarded’ devices.
Tempting Offers
Cybercriminals have a lot of success using tempting offers to lure victims into clicking on sinister links. They send targets enticing offers via ads, social media, email, or free downloadable content. Some of these offers are very obvious to anyone who grew up online, but this is by design: scammers are interested in targeting people who are less discerning because they are ‘easy marks’. While most of these types of offers get caught by email service providers, the ones that get through can be difficult to identify, even for users who are aware of what to look for.
Malware-Infected Devices
Another way cybercriminals execute a baiting attack is through malware-infected USB devices and flash drives. The common play is this: leave a device in the open, such as the company lobby, cafe, or reception office. A passerby spots the device, and if they choose to discover what’s on it, they take it to their personal or work computer. Once the unsuspecting victim inserts the flash drive, malicious software automatically installs malware on the computer. This can be limited to a personal computer or can affect entire professional networks, depending on who takes the drive.
Why is Baiting Efficient?
Baiting is efficient because it exploits fundamental human needs: the need to understand the unknown or get something they would otherwise not be able to afford. People get excited about free stuff, discounts, and special offers, which are often too good to be true, and this same principle is what makes baiting in cybersecurity effective.
While this can be potentially devastating for individuals (often, the targets of online baiting are elderly and living off their savings or pension), for an employee, being tricked by a baiting attack can cause massive problems for the entire organization. Typical organizational best practices highlight not clicking on links from unknown emails for this very reason.
Baiting Attack Examples
The single best way to prevent a baiting attack is to know what they look like. You may get an email or receive a text from an unknown source claiming you’ve won a lottery, and all you need to do is send back some personal information. This could be as simple as your phone number or address, or something more secure, like your bank account number or social security number.
It’s important to note that the requested information has no bearing on whether a message is a baiting attack or not. Bad actors today harvest pieces of your personal information from multiple sources until they have enough to either steal your identity or access your personal systems. Something as harmless as your first pet’s name or your vehicle make and model can be used to bypass security questions.
In some more modern examples, a cybercriminal contacts their victims about a missed package delivery, asking them to confirm their address. This is a case of digital dumpster diving used to derive information about your home address. The attacker then visits your home to hang a missed delivery tag on your door with a local phone number. Once the victim calls this number, the bad actor has another avenue for collecting information, all without the victim ever suspecting anything.
The single best piece of advice when trying to detect phishing baiting attacks is to be extremely suspicious of any message, text, email, call, or offer you receive if you do not recognize the sender. This is especially true with email; check the contact information of the sender to verify they are who they say they are.
How to Spot Baiting
Healthy skepticism and mindfulness can help prevent or simply stop baiting attacks. Here are some tips to prevent it:
- Learn to think skeptically about any offer
- Use antivirus and anti-malware software
- Don’t use external devices
- Set up proper network security measures
Four Tips to Avoid Baiting in Cybersecurity
Besides being aware of what to look for in emails and messages and implementing security measures, businesses and individuals can take practical steps to avoid being baited.
Stay Alert
Be wary of communication that demands quick action. Attackers try to instill a sense of urgency to manipulate you, just like fire sales or limited-time offers in normal commerce. Slow down and think before you react or take any action.
Raise Cyberawareness Among Your Employees
The best way to guard your company against baiting attacks is to educate yourself and your employees on social engineering attacks and baiting tactics. You can do this via seminars, training, and workshops to teach employees and upper management:
- How to recognize a legitimate warning message, alert, or deceptive email and how to report it.
- How to avoid sending emails demanding quick action. Requests like these should be limited to internal-only communications that have no risk of outside interaction. Slack or MS Teams are good examples.
- How to maintain good password hygiene, including setting a strong password and using a unique passcode for each account.
Don’t Blindly Follow Links
When you receive a message that includes a link, ask yourself if you know 100% where the message originated. If there is any doubt, don’t click on it. If you’re expecting a message with a link, but something about the message looks wrong, try using EasyDMARC’s free phishing link checker to understand where the link will send you.
Organize Simulated Attacks
Organizations should conduct simulated baiting and phishing attacks to know their employees’ level of awareness. You can try dropping flash drives in an open area where your employees can see them to determine who will fall for the trap.
In addition, organizations can simulate real-life phishing attacks to educate employees what to do in these situations.
Use Antivirus Software
Installing and updating your anti-malware and antivirus software is key. From a business perspective, if a virus spreads further and exposes personal client data or sends unsolicited emails to your contacts, your company’s reputation may be irreparably damaged. Prevention is better than undoing this damage, so having a system designed to prevent virus attacks should be the base standard.
Education is the Best Defense Against Baiting and Phishing
Baiting is common, but only effective when done in large volumes. Most companies know they should educate their employees, and most individuals are protected through a combination of experience and software automation. Nonetheless, because of the serious threat that baiting and phishing pose (and because cyberthreats evolve), make sure you’re integrating anti-malware software, continuing educational sessions, and keeping your domain and systems updated.
EasyDMARC is a security-first solution that helps you implement effective countermeasures on a domain level.In addition to free security and checking tools, our platform can help you keep your email secure, operational, and compliant with the latest security standards. If you’re unsure of your preparedness against ever-evolving email security threats, schedule a free demo today.
Cyberthreats go where the money is. As e-commerce continues to grow, be sure that your organization is protected.
Frequently Asked Questions
People who are curious, impulsive, or not trained in cybersecurity awareness are most likely to fall victim to baiting attacks. Baiting relies on human curiosity or desire for something appealing, like free software, music, or a “found” USB drive. An employee who finds a flash drive and plugs it into their computer out of curiosity is an example of a typical baiting victim.
Other common traits of likely baiting victims include:
Lack of cybersecurity training or awareness
Trusting or naïve attitude toward free or unexpected offers
High stress or distraction levels, which make them more likely to act quickly without thinking
Baiting can target anyone, but attackers often focus on office environments or public places where people may let their guard down.
If you suspect a baiting attempt, the most important step is not to engage with the bait. Here’s what to do:
Do not plug in or open the item if it’s physical, like a USB drive. If it’s digital, such as a suspicious email attachment, free download, or pop-up, don’t click or interact with it.
Report it immediately to your IT or security team. This allows them to investigate and take precautions to protect the network.
Isolate the item if possible. For example, set the USB aside in a safe place for the security team. If it’s a file you already downloaded but haven’t opened, don’t open it or try to delete it. Report it first.
Avoid alerting others informally, as some may try to investigate out of curiosity.
Follow company protocol for potential security threats. Many organizations have policies in place for handling such incidents.
To protect your organization from baiting attacks, train employees to avoid plugging in unknown devices or downloading suspicious files. Enforce strict device policies, use endpoint protection, and run regular cybersecurity training and phishing simulations.
EasyDMARC helps reduce baiting risks by preventing fake emails from reaching your team. With SPF, DKIM, and DMARC enforcement, it ensures only trusted sources can send emails from your domain, blocking one of the most common baiting methods.
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us
