Baiting in social engineering is the digital equivalent of the Trojan horse. It relies on the curiosity or greed of the victim.
But what sets this form of social engineering apart from other attacks? And how can you prevent yourself or your employees from falling victim?
That’s what we’ll explore (and more) in this guide!
What is Baiting in Social Engineering?
Firstly, let’s recap what social engineering is.
Social engineering is an umbrella term that includes many techniques to exploit our human nature, and induce behaviors and mistakes that will lead to weakened security.
The primary goal of a social engineering attack is to convince a victim to reveal sensitive information (such as login credentials) and/or to inadvertently download malware (in the form of an email attachment for example).
Baiting is a form of social engineering that relies on “bait”. This bait can be some form of reward, free product, etc.
This is different from, say a quid pro quo attack where the victim might feel obliged to “return the favor”.
It’s in many ways similar to phishing attacks. However, phishing attacks usually rely on fear and urgency to incite their victims to act. A baiting attack on the other hand uses the promise of an item to entice victims. For instance, the attacker may offer users free music or movie downloads if they surrender their login credentials to a certain site.
How Baiting in Social Engineering Operates
In a baiting attack, the goal of attackers is usually to steal user credentials or have them install malware.
One way they can do this is with infected USB drives:
- for instance, employees can receive infected flash drives as a reward for participating in a survey;
- alternatively, the bad actors can leave infected USB drives in a basket of gifts placed in the company lobby for employees to simply grab on their way back to their work area;
- another possibility is the strategic placement of tainted devices for targeted employees to take. When marked with intriguing labels like “Confidential” or “Salary Info,” the devices may be too tempting for some workers. These employees may just take the bait and insert the infected device into their company computers.
However, baiting attacks might be as simple as an advertising banner on a website promising a free iPhone. Or you may have received one of those emails promising some kind of Bitcoin reward. Those also constitute baiting attacks.
Baiting Attacks in the Real-World
Now that we’ve covered the theory, let’s look at a real-case example of baiting attacks.
Infected USB drives attack
In 2021, the FBI issued a public warning about a widespread baiting campaign targeting businesses and government agencies.
Cybercriminals mailed infected USB drives disguised as promotional giveaways to unsuspecting employees. The flash drives contained malware that activated upon insertion. This then allowed hackers to gain remote access to corporate networks.
Here’s a detailed view of how to baiting attack proceeded:
- Step 1: Employees received a package with a USB drive labeled “Bonus Content – Company Training” or “Free Amazon Gift Card.”
- Step 2: However, the USB drive contained malicious software disguised as a legitimate document or video.
- Step 3: When plugged in, the malware automatically installed remote access trojans (RATs) and keyloggers, allowing attackers to steal login credentials.
- Step 4: With the stolen credentials, the attackers were able to infiltrate corporate systems, exfiltrating sensitive data.
Some of the takeaways from this attack include:
- Never insert unknown USB drives into a personal or work device.
- Use endpoint protection software to detect and block unauthorized USB devices.
- Educate employees on baiting and other social engineering tactics to prevent similar attacks.
Recognizing and Preventing Baiting Attacks
Let’s now look at a step-by-step process you can follow to recognize baiting attacks before it’s too late.
Step 1: Recognize common signs of baiting attacks
These are some of the most common red flags present in baiting attacks:
🚩 You’re offered something for free:
- Fake promotions: “Download this premium software for free!”
- Fake giveaways: “Get a free Amazon gift card—just sign in to claim yours.”
- Free USB drives or gadgets left in public places: “Company-branded USBs found in conference centers, lobbies, or parking lots.”
🚩 The offer comes from an unknown or suspicious source:
- If you receive a USB drive, QR code, or email attachment from an unknown sender, it’s a red flag.
- If a pop-up ad claims you’ve won something without entering a contest, it’s likely baiting.
🚩 The communication creates urgency:
- “Limited-time offer! Only the first 100 users will get this free service.”
Step 2: Avoiding baiting traps
✅ Never use unfamiliar USB drives
- If you find a USB drive, don’t plug it in—report it to IT.
- If an event or company hands out free devices, scan them with endpoint security software before use.
✅ Ignore ‘free’ downloads & online giveaways
- Avoid software downloads from third-party sites—only use official sources.
- If an email or ad offers a free premium service, verify it on the company’s official site.
✅ Be skeptical of QR codes
- Do not scan QR codes from unknown flyers, posters, or stickers placed in public places.
✅ Use security software to block baiting attempts
- Enable USB device restrictions on work computers.
- Use email filters to block scam promotions and fake giveaways.
- Install an ad blocker to prevent malvertising attacks.
✅ Use a private and secure email solution
- Use an email solution such as Mailfence which provides strong anti-spam filtering. By automatically filtering emails before they reach your inbox, you will avoid most of baiting attacks.
Baiting in Social Engineering: Final Thoughts
The strongest defense against baiting and any other social engineering scheme is educating yourself and your team. Each of us should aim to have a strong security culture within our surroundings – office, home, etc.
In addition, every individual must consider ‘company security’ as an essential part of their individual responsibilities. Specifically for baiting, every individual should do open discussions with his family, friends, and colleagues – and warn them about the dangers of social engineering.
There are other tips that you can follow to avoid social engineering schemes. You can learn more about how to protect your computer here. Our email security and privacy awareness course will provide you with comprehensive information on the specific topic to protect yourself, as much as you can, against social engineering.
