What is Baiting?
Have you ever clicked on one of those social media posts that offer access to an enticing story? If you have, you'll understand the meaning of "baiting." In the case of a "clickbait" story, often the link takes you to a mildly annoying site with lots of pop-up ads. However, baiting can be used for nefarious purposes too. Baiting is a form of social engineering that can result in data theft, financial losses, and malware infection.
How Does Baiting Work?
Baiting works because the "bait" is designed to elicit a natural response, like curiosity or urgency. This ability to manipulate human behavior is known as social engineering. In other words, attackers abuse humans' behavior as social creatures to navigate the world. This manipulation results in some action that benefits the attacker.
Social engineering has become one of the most prevalent attack vectors, with almost all (98%) cyber-attacks having a social engineering element. Social engineering can be thought of as human hacking. Social engineering works because people have set behaviors that cybercriminals can exploit. For example, people often like to conform to fit in and to be a good employee. In this case, attackers can pressure people to share sensitive or financial information to perform a task quickly and efficiently. Attackers often play on emotional reactions to situations, such as the fear of missing out on an opportunity. Cybercriminals can use many ways to manipulate people based on socially engineering their behavior.
Baiting is a variant of phishing in which attackers use “bait” like a gift or a great offer to entice a person. Baiting can also involve a physical item, such as leaving a USB key lying around. Curiousness gets the better of the victim, who plugs the USB key into their computer. If the bait is taken, the result will be stolen data, financial losses, or malware infection.
Techniques Behind Social Engineering
Social engineering relies on the manipulation of people. The psychology of social engineering utilizes a variety of tactics, some of which include:
- Influence and Power: People in positions of influence or power can encourage specific actions -take influencers on social media, for example. Recent research found that over three-quarters of consumers planned a purchase based on a social media post. People who are seen as being in a position of authority can change the behavior of individuals. Baiting uses this behavior by sending out phishing emails or SMS texts that impersonate authority figures, like the government or a CEO. Alternatively, an attacker may make a USB device look "official" by using a logo of a known brand to encourage an unsuspecting employee to use it.
- A Helpful Nature: People like to help others, especially in the workplace. Baiting attackers exploit this part of human nature to encourage people to donate to charities or support a "colleague" by sharing passwords or opening locked doors. In the latter case, malicious insiders or tailgaters often use this behavior manipulation.
- Freebies: Everyone likes the offer of something for free. The fear of missing out (FOMO) is another social engineering tactic used alongside the enticement of a free offer. For example, making an offer limited. Baiting attackers then use the freebies to encourage an employee or other individual to click on a link.
Taking The Bait - What Happens?
If someone, like an employee, takes the bait, data theft, malware infection, industrial espionage, and financial losses occur. Typical cyber-attack outcomes come about using the following types of bait and baiting methods:
Data Theft Via Email or SMS Text
Emails or SMS text (Smishing) used for Baiting may contain a link that, if clicked, takes the victim to a spoof website. The site will be designed to look like a well-known brand and will request the individual enter personal data or credit card details. Some infected sites may also exploit vulnerabilities in device software to download and install malware. Some baiting sites targeting businesses will mimic brands like M365 and even encourage employees to enter login credentials. If data of any kind is entered into a baiting site, it will be stolen.
Malware Infection Via USB Keys
Malware-containing ads (malvertising) are a lucrative way for cybercriminals to make money. The malware is hidden in online ads, often hosted on legitimate sites, where the hacker has paid for or hacked into a display ad campaign. Malvertising frequently uses 'drive-by-downloads,' meaning the ads don't need to be clicked upon for the malware to install. Baiting attacks use malvertising by baiting emails and social media posts that take victims to these malicious ads. Malvertising is predicted to cost businesses worldwide $10.5 trillion by 2025.
Malvertising
Malware-containing ads (malvertising) are a lucrative way for cybercriminals to make money. The malware is hidden in online ads often hosted on legitimate sites, the hacker having paid for or hacked into a display ad campaign. Malvertising usually uses ‘drive-by-downloads,’ which means the ads don't even need to be clicked upon for the malware to install. Baiting attacks use malvertising by baiting emails and social media posts that take victims to these malicious ads. Malvertising is predicted to cost businesses worldwide $10.5 trillion by 2025.
Geraldine Hunt
- PHISHING PROTECTION
Learn More
Further Reading
- Anti-Phishing Tools
- A Comprehensive Guide to Phishing Training for Employees
- Understanding Zero-Minute Phishing Protection
How Can TitanHQ Help?
Reducing the risk of Baiting is complicated because the attackers use human behavior as a weapon. Using a mix of education and technology provides the best way to mitigate the insidious and complex nature of baiting attacks:
Education:
- Security awareness sessions improve employees' recognition of Baiting and other social engineering attacks. Baiting attackers rely on employees and others to be unaware they are being exploited. SafeTitan provides interactive and engaging security awareness training that covers all aspects of social engineering tricks.
- Simulated baiting attacks are another option and should be used as part of an overall security awareness training program. A company sets up fake baiting attacks to demonstrate the types of vectors used to socially engineer people.
- Reactive training and gamification of exercises will ensure that training is engaging and effective.
Over time, staff across the workplace will improve their resilience to social engineering. A security culture will become customary for the organization, and successful phishing and other social engineering attacks, such as Baiting, will be prevented.
Technology:
The deployment of specific technology solutions should be used alongside security awareness training. These technologies help to mitigate the attack vectors used in baiting attacks. Because baiting takes many forms, using a multi-layered, defense-in-depth approach to security is essential:
- DNS filtering: Baiting attacks use techniques such as phishing emails and spoofing websites. A DNS filter will stop an employee from navigating to a suspicious website.
- Anti-malware and anti-phishing technologies intercept malware-containing emails or links to malicious websites, providing an essential security layer. Malware-infected attachments, malvertising, or infected websites are used to distribute malware, including ransomware. Anti-phishing and anti-spam solutions like TitanSecure prevent malware infections. TitanSecure offers advanced malware protection to cover even emerging threats like zero-day exploits that lead to malware infection.