Cyber criminals are constantly evolving their methods, but their biggest leverage for growth will always be exploiting the human factor. Software and physical measures against cyber attacks have become so advanced that tricking workers is the only remaining attack vector criminals can reliably use.
According to Verizon’s 2023 Data Breach Report, 74% of breaches involved a human element.
Further emphasizing the susceptibility of individuals to cyber threats, the 2023 Gone Phishing Tournament, which tested over 1.3 million users, found that one in 10 employees fall for phishing scams.
These numbers vividly illustrate how, despite technological advancements in cybersecurity, human errors or manipulations remain a critical weak spot that adversaries target.
Cyber criminals are getting creative to catch unsuspecting employees in a moment of weakness or stress. In comes baiting, a common type of social engineering that has been wreaking havoc worldwide.
This article will explain this cyber threat, its variants, how to identify these attacks, and how you can put measures in place to stay protected against baiting.
What is Baiting?
Baiting is a variant of social engineering where the perpetrator lures the victim with attractive offers or rewards. This tactic tricks the victim into unintentionally downloading malware into their system or revealing confidential personal or organizational information.
A typical example is an online ad offering free software leading to the victim introducing malware or a financial offering enticing them to complete an “urgent” task.
Baiting can happen online and offline through various channels like email, SMS messages, physical letters, and USB devices. The goal is to gain access to a network, sensitive information, or direct financial gain.
How Baiting Works
Like many cyber threats, baiting relies heavily on urgency and scarcity. The promised product is almost sold out, or the requested task must be executed immediately to claim the reward. This additional psychological push will entice victims to readily overlook the obvious signs of the bait.
At its core, baiting hones in on human nature and the temptation of something free, a more general advantage like money or job advancement, or, in some cases, plain old curiosity.
Understanding the Different Types of Baiting
Baiting comes in a few different variants that can enhance their success rate based on the situation. It is essential to be aware of each different version of baiting to identify them correctly as they happen.
Malvertising
Perhaps the most common type of baiting, malvertising is as old as the Internet. Creating false advertisements promising great rewards is a powerful way to promote a scam. In this scenario, cyber criminals prey on a moment of inattention from their victims as they surf the web.
Malvertising can also come from different channels, such as email or SMS. Another version can come from social media; hackers create a fake social media profile pretending to be a company running a contest and telling users they won a prize.
Spear baiting
This type of baiting targets a specific organization and its workers. Heavy research is involved in gaining knowledge about the various ins and outs of the workplace to identify potential baiting attempts.
This method tends to be very effective given that the criminals gathered a lot of information to convince their victims.
In spear baiting, the bait is usually the promise of financial gain, like a reward for doing a task quickly or a higher pay rate for the period where the task is executed.
Physical baiting
While most baiting attempts happen online, they can also work very efficiently in the physical realm.
Through a USB device or QR code left in a public place, hackers prey on human nature and curiosity, hoping someone will plug in the USB or scan the code, leading them to a malicious website or directly installing malware on their machine.
Identifying Baiting Attempts
Baiting only works if the victim falls for the offer. A good rule to remember for any cyber threat, but especially in the case of baiting, is that if an offer sounds too good to be true, it’s probably a scam.
This situation can be an unexpected prize or windfall, but it can also disguise itself as a job offer or a salary far above typical market rates.
Similarly, you should treat any attachments or links in unsolicited emails from sources you don’t directly know with extreme vigilance and scrutiny. Even when it comes from a trusted source, it’s always best to confirm the requested task or information with the person through another channel.
Physical baiting is easier to counter, but it can still be successful at scale. The rule of thumb in this case is rather simple: Never plug in an unknown USB stick into your machine, and always check the source of a QR code before scanning it.
A Cyber Security Aware Culture Against Baiting
People often think they are above falling for tactics like baiting, leading to a false sense of security and higher success rates for this attack. However, baiting attacks aren’t always as apparent as the infamous Nigerian prince or rich long-lost relative offering their fortunes.
As baiting becomes more subtle and developed, it becomes particularly dangerous. Since baiting exists in several forms, cyber security training alone often isn’t enough to counter it.
Baiting is also best understood in context, which is why it's important to run regular simulations around this type of cyber threat.
These exercises can not only help you figure out which employees are vulnerable to this threat but also show you how to rectify the environment or situations that have made them vulnerable to this attack in the first place.
Building Baiting Resiliency
Human nature will always be the ultimate weakness to exploit for cyber criminals. It’s the one fallible factor that can be found in every workplace worldwide, no matter the industry or level of education.
Baiting takes the concept of exploiting human nature a step further by offering a reward, something everyone seeks. Cyber security awareness training can come off as extreme sometimes, but cyber threats like baiting showcase just how vigilant people must be at all times, online and offline.
If you want to know how your employees stand against baiting, take advantage of Terranova Security’s free phishing simulation to assess and educate them on this type of cyber threat effectively.