Baiting Attacks: Social Engineering at its Most Appealing

Scammers, fraudsters, and cybercriminals have all kinds of tricky tactics designed to steal from you. But first, they have to get access to you. Sometimes, they hack into your router or printer , crack your password with AI or brute force , or just buy your information from a data breach . Other times, they get more hands-on. Scams , phishing , and social engineering let them trick and manipulate you into giving them what they want. All of these methods have a lot of common tactics. But baiting attacks are a specific type of social engineering that’s missing a few of the common signs of fraud. If you’re not aware of it, you could end up missing the signs. Baiting attacks are a type of social engineering attack. They can be applied in phishing or as part of a scam. Most often, they involve some form of malware . This attack gets its name because of how it operates. Most scams, fraud, and social engineering tactics rely on trust, fear, or urgency. The criminal impersonates a trustworthy person or agency, scares the target with a false story about horrible consequences for not complying, pushes them to act right away without taking time to think or talk to anyone else, and often combines all three. In a baiting attack, the criminal does none of these. Instead, they craft an attractive “bait” that they think people will want. They present the great offer with a hidden hook, and wait for your curiosity or greed to push you to take the bait. First, the criminal creates the bait. This could be anything that might tempt you – a job offer, a deal or discount, something for free, or anything else that could sound appealing – or something that you might find intriguing or interesting. Their goal is to make you curious or make you think you could get something good. Then they distribute the bait through various methods, depending on what it is. Next, you encounter the bait. Where and how depends on what the bait is and how the criminal distributed it. Common methods are USB devices left in public places, fake software or media downloads, links in emails, and social media ads. When you interact with the bait – plug the USB device into your computer, download the file, or click the link or the ad – whatever malware the criminal included with the bait ends up on your device. Now that the baiting attack gave them their way in, the criminal can now launch their attack. The malware may be spyware designed to steal passwords or personal data from your device. It could be ransomware that holds your files hostage until you pay. Or it could even let the criminal take control of your device. It all depends on what they’re after specifically. There are numerous ways baiting attacks can happen. Anything that sparks curiosity or desire could potentially be used as bait. But criminals also like to use tried-and-true methods where they can. So while some of them come up with new ideas, these are some of the most common “baits” you’ll see. Criminals leave infected USBs in public places, hoping somebody will pick them up. Curiosity is a primary driver for this one – they hope people will wonder what’s on the USB and plug it in. But it also exploits people’s helpful natures, too. Whether you’re just curious about what it is or want to return it to its rightful owner, as soon as you plug it in, your device is infected. Alternatively, they may put out fake charging stations or malicious cables on real charging stations to infect whatever you’re trying to charge. Fake downloads are one of the most common ways baiting attacks happen because they’re so easy for criminals to do. They set up a fake website advertising a free download of something, often software, music, or a movie. When you click to download it, it may or may not download the thing you’re trying to get. But it definitely downloads and installs the criminal’s malware. Fake job listings are another common way these attacks happen. Criminals put up job listings on social media, send them via email, or, less commonly, list them on real job listing websites. (This is less common because it costs money to list on job listing sites, but just because it’s rare doesn’t mean it never happens.) They direct interested applicants to download an attachment for further information or to fill out a form that they have to download. But they’ve included malware in that attachment or download. Free wifi is great – until it’s fake. If you’re on a criminal’s wifi network, it’s easy for them to see everything you do or even put malware directly onto your device. That’s why criminals love going to a place with free wifi (or even better, a place people would expect to have free wifi that doesn’t) and setting up a wifi network with a similar name. They hope to trick you into connecting so they can access your information or device. Fake contests, fake giveaways, fake surveys, and fake ads are all techniques criminals use to do baiting attacks online. They offer a great prize for a giveaway or contest, promise compensation for a survey, or advertise great deals. All you have to do is provide some personal information, click a link, download something, or often all three. Now the criminal has their malware on your device and some of your personal information. A lot of the steps to protect yourself from baiting attacks are simply steps to being more cautious. Never plug an unknown device into yours, and never use an unknown cable (at least not without a USB condom ). Be very cautious with free wifi, and if you have no other option, use a VPN . Remember that there’s no such thing as a free lunch – if the download doesn’t cost any money, you’re paying for it with something else. Don’t click ads (or use an ad blocker so you don’t even see them), and only download things from reputable sources. The common wisdom to spot scams is to watch out for urgency and beware anything that makes you scared or anxious. But baiting attacks don’t use fear to get you to act. You should also be careful around anything that makes you overly curious or excited about getting a good deal. That doesn’t mean it’s necessarily fake. But it does mean that you should verify before you do anything. If you have kids, you should also talk to them about these types of attacks. They are more likely to get caught by baiting because they are curious by nature and don’t have the experience or the brain development to be suspicious. Make sure they know to be cautious. Basic cybersecurity steps will also help protect you from these attacks. Keep your operating system, apps, and software up-to-date. Make sure you have an antivirus software, and make sure it runs regularly. Finally, remember that if it sounds too good to be true, it probably is. Don’t let curiosity or excitement over a good deal to get the better of you. It’s better to miss out than get caught in a baiting attack.