Social engineering attacks are one of the most significant threats to an organisation’s information security. So much so that a staggering 98% of cyberattacks involve some social engineering component. One of the social attacks favoured by cybercriminals is known as baiting.
In this article, we look at baiting attacks and how to avoid them.
What is a Baiting Attack?
Baiting is a type of social engineering attack that lures, or “baits”, victims into handing over sensitive data, such as email addresses or login credentials, or installing malware. This then allows malicious actors to gain access to an organisation’s network and steal data, install ransomware to extort money, or damage its infrastructure.
Like all social engineering attacks, baiting relies on psychological manipulation to trick users into entering personal data or clicking on a malicious link. Baiting focuses on exploiting human curiosity and greed by making fake offers and offering something they’d usually pay for free.
Cybercriminals like to employ baiting techniques because they require fewer technical skills to implement than other cyberattacks, such as DNS hijacking.
Types of Baiting Attacks
Download and Streaming Sites
Cybercriminals can carry out baiting on websites that offer free software, movies, music, games, etc. While the user expects to download the media in question, they’ll instead download malware on their device when they click on the associated link. Alternatively, the malware could come from the pop-up ads that such sites invariably feature.
Offers and Online Contests
Baiting can also occur through the use of outlandish offers and online contests. On one hand, victims can be tempted into clicking a malicious link with an offer such as “Grab The Latest iPhone for £100”, which then proceeds to download malware onto their machine. Alternatively, baiting can take the form of a competition offering the chance to win coveted consumer electronics (iPhones, iPads, game consoles, etc.) or cash prizes. In this case, the idea is to entice the victim into giving up personal information: that they can use to defraud the victim or as part of a plan to infiltrate the company for whom they work.
While the above two methods take place in the digital realm, malicious actors can implement baiting through physical means through USB drives. This would see the cybercriminal leave USB drives or other physical devices containing malware in or around the company they’re targeting. This could be in its reception area, bathrooms, car parks, corridors, etc. Worse, such devices often feature the company’s logo or branding to make them look more legitimate. A curious employee can then pick up the infected drive and plug it into their PC or laptop.
Adding to the deviousness, the cybercriminal will often fill the devices with files and folders given names to pique the victim’s curiosity, like “Confidential – Employee Bonus Details”. This opens the door for them to install malicious code or software on their device before spreading through the company’s network, resulting in data breaches and similar cyberattacks.
How Can You Avoid Baiting Attacks?
Now we’ve explained what baiting is and the various ways it occurs, let’s move on to how you can prevent it in your organisation.
Educate Your Employees
The best way to avoid a baiting attack is to educate your staff on how they can fall victim to them, so they know what to look out for. Your employees need to get into the mindset of thinking twice before clicking on a compelling offer or attempting to download something for free. However, this isn’t just at work, where many of these sites may be restricted, but in their free time using their own devices. Greater awareness and extra vigilance are the best defence against baiting and other social engineering attacks.
Implement a Baiting Simulation
Part of educating your employees could include carrying out a baiting simulation to illustrate how a cybercriminal could trick them into making a mistake. This could involve leaving USB drives around the premises, which are made to look legit and contain files that could be of interest to whoever finds them. However, instead of malicious code, the USB drives would contain tracking measures that evaluate your staff’s performance in the simulation.
Install Antivirus Software
Antivirus software will help detect and delete malware which prevents it from spreading through your organisation’s network. Better still, a good antivirus solution will scan attachments and files for malware and make you aware of anything suspicious before you open them. It’s also important to frequently update your antivirus software solution so it detects all new and emerging cyber threats as malicious actors’ methods grow increasingly inventive and sophisticated.
To learn more about baiting attacks and what to do if you suspect someone in your organisation has been the victim of baiting, get in touch with us here at RiskXchange.