Baiting is a cyber attack strategy. It involves offering a false promise or a trap of some kind. The result that attackers seek is to get someone to load malware onto their network – either using a clickable link or physical objects.
Many baiting attacks rely on human greed or desire. However, others take a different approach – they use human kindness or helpfulness against you. But whether they exploit positive or negative impulses, baiting strategies have a lot in common.
Baiting can come through email, physical mail, websites, and physical media. Common baits include:
- Email promising a gift card.
- USB stick left physically near the target organisation.
- Free download of a song, movie, or game.
Less common, higher-stake baits include high value electronics like a laptop or iPad that someone might want to keep for themselves; or try to return to their owner.
Why cyber baiting works
Baiting often appeals to our greed by offering us something that we want. Often, the offer is overly cheap or attractive compared to what legitimate businesses are providing. Targeted baiting can use consumer data to zero in on specific desires you might have – making the bait more tempting.
However, baiting can also appeal to our better side. We find a digital camera or tablet lying on a table near our workplace, and it looks as though someone has accidentally left it. We might feel bad for the owner. We could imagine how we’d feel at the loss of precious memories or work files. So we try to find out who it belongs to – often by connecting it to a workplace device or network.
How to protect against it personally
Awareness is 90% of the battle against baiting. Once you’re aware that these strategies exist, you’re less likely to fall victim to them. There are some basic rules you can use to help, though:
- Don’t turn on or plug in devices that you don’t know.
- Avoid offers that seem too good to be true. They’re probably baits designed to appeal to your greed.
- If you get an offer that seems legitimate, but requires you to click through to a website, stop and verify it through other means. For example, if you receive a Free gift card offer from a retailer you have an account with, go to the retailer website and check that the offer exists in your account. Alternatively, call the customer service line.
How to protect against it in your organisation
One of the best ways to protect against baiting is to block or inspect unknown devices and links. Automated systems can help you with this:
- Operating system policies that prevent drives being plugged into devices on the network.
- Network policies that prevent unknown devices joining the network.
- An email platform that looks for and blocks malicious links.
- EDR software that protects against malware installing on a device.
Another important baiting protection is staff education. PhishNet reduce the risk of a devastating cyber incident by training your people. When your staff know better, they can do better! Contact us today to discover how PhishNet can protect your business.