Social Engineering: What is baiting?
What is baiting?
“Congratulations! You won a prize!”
If you ever saw a message like this, there is a 101% chance that it was a baiting attack.
Baiting is like the real-world ‘Trojan Horse’in that it relies on the curiosity or greed of the victim. This is different from, say a quid pro quo attack where the victim might feel obliged to “return the favor”.
It’s in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. For instance, the attacker may offer users free music or movie downloads if they surrender their login credentials to a certain site.
How is baiting done?
Let’s take an example – with the end goal of infiltrating a company’s network.
Social engineers want to introduce malware into network-connected computers and spread malicious code.
One way they can do this is by promising a reward (“bait”).
For instance, employees can receive infected flash drives as a reward for participating in a survey.
Or, the bad actors can leave infected USB drives in a basket of gifts placed in the company lobby for employees to simply grab on their way back to their work area.
Another possibility is the strategic placement of tainted devices for targeted employees to take. When marked with intriguing labels like “Confidential” or “Salary Info,” the devices may be too tempting for some workers. These employees may just take the bait and insert the infected device into their company computers – and Voila!
What’s the difference between baiting and other social engineering techniques?
The specificity of baiting is to tempt a victim to take the bait, hence the name. The tempting content could be the promise of a gift, or the possibility to get some reward. Therefore, the hacker’s job is to create a trap for its victim.
How to secure your system against baiting?
The strongest defense against baiting and any other social engineering scheme is educating yourself and your team. Each of us should aim to have a strong security culture within our surroundings – office, home, etc.
In addition, every individual must consider ‘company security’ as an essential part of their individual responsibilities. Specifically for baiting, every individual should do open discussions with his family, friends, and colleagues – and warn them about the dangers of social engineering.
There are other tips that you can follow to avoid social engineering schemes. You can learn more about how to protect your computer here. Our email security and privacy awareness course will provide you with comprehensive information on the specific topic to protect yourself, as much as you can, against social engineering.
Educating yourself and others – is by far the most effective defense you can do against all faces of ‘Social Engineering’.
– Mailfence Team
Vlad has been writing online privacy and security-related content for companies in email privacy, VPN, cloud computing, DNS/WHOIS and other fields since 2014. He started working in email privacy in 2018 before joining Mailfence in 2021. You can follow him on LinkedIn @vladimircovic and on Twitter @covic_vladimir