What is Baiting?

Have you ever clicked on one of those social media posts that offer access to an enticing story? If you have, you'll understand the meaning of "baiting." In the case of a "clickbait" story, often the link takes you to a mildly annoying site with lots of pop-up ads. However, baiting can be used for nefarious purposes too. Baiting is a form of social engineering that can result in data theft, financial losses, and malware infection. TitanHQ explores this insidious attack and how to prevent employees from taking the bait.

How Does Baiting Work?

Baiting works because the "bait" is designed to elicit a natural response, like curiosity or urgency. This ability to manipulate human behavior is known as social engineering. In other words, attackers abuse humans' behavior as social creatures to navigate the world. This manipulation results in some action that benefits the attacker.

Social engineering has become one of the most prevalent attack vectors, with almost all (98%) cyber-attacks having a social engineering element. Social engineering can be thought of as human hacking. Social engineering works because people have set behaviors that cybercriminals can exploit. For example, people often like to conform to fit in and to be a good employee. In this case, attackers can pressure people to share sensitive or financial information to perform a task quickly and efficiently. Attackers often play on emotional reactions to situations, such as the fear of missing out on an opportunity. Cybercriminals can use many ways to manipulate people based on socially engineering their behavior.

Baiting is a variant of phishing in which attackers use “bait” like a gift or a great offer to entice a person. Baiting can also involve a physical item, such as leaving a USB key lying around. Curiousness gets the better of the victim, who plugs the USB key into their computer. If the bait is taken, the result will be stolen data, financial losses, or malware infection.

Techniques Behind Social Engineering

Social engineering relies on the manipulation of people. The psychology of social engineering utilizes a variety of tactics, some of which include:

Influence and Power: People in positions of influence or power can encourage specific actions -take influencers on social media, for example. Recent research found that over three-quarters of consumers planned a purchase based on a social media post. People who are seen as being in a position of authority can change the behavior of individuals. Baiting uses this behavior by sending out phishing emails or SMS texts that impersonate authority figures, like the government or a CEO. Alternatively, an attacker may make a USB device look "official" by using a logo of a known brand to encourage an unsuspecting employee to use it.

A Helpful Nature: People like to help others, especially in the workplace. Baiting attackers exploit this part of human nature to encourage people to donate to charities or support a "colleague" by sharing passwords or opening locked doors. In the latter case, malicious insiders or tailgaters often use this behavior manipulation.

Freebies: Everyone likes the offer of something for free. The fear of missing out (FOMO) is another social engineering tactic used alongside the enticement of a free offer. For example, making an offer limited. Baiting attackers then use the freebies to encourage an employee or other individual to click on a link.

Taking The Bait - What Happens?

If someone, like an employee, takes the bait, data theft, malware infection, industrial espionage, and financial losses occur. Typical cyber-attack outcomes come about using the following types of bait and baiting methods:

Data Theft Via Email or SMS Text

Emails or SMS text (Smishing) used for Baiting may contain a link that, if clicked, takes the victim to a spoof website. The site will be designed to look like a well-known brand and will request the individual enter personal data or credit card details. Some infected sites may also exploit vulnerabilities in device software to download and install malware. Some baiting sites targeting businesses will mimic brands like M365 and even encourage employees to enter login credentials. If data of any kind is entered into a baiting site, it will be stolen.

Malware Infection Via USB Keys

Malware-containing ads (malvertising) are a lucrative way for cybercriminals to make money. The malware is hidden in online ads, often hosted on legitimate sites, where the hacker has paid for or hacked into a display ad campaign. Malvertising frequently uses 'drive-by-downloads,' meaning the ads don't need to be clicked upon for the malware to install. Baiting attacks use malvertising by baiting emails and social media posts that take victims to these malicious ads. Malvertising is predicted to cost businesses worldwide $10.5 trillion by 2025.

Malvertising

Malware-containing ads (malvertising) are a lucrative way for cybercriminals to make money. The malware is hidden in online ads often hosted on legitimate sites, the hacker having paid for or hacked into a display ad campaign. Malvertising usually uses ‘drive-by-downloads,’ which means the ads don't even need to be clicked upon for the malware to install. Baiting attacks use malvertising by baiting emails and social media posts that take victims to these malicious ads. Malvertising is predicted to cost businesses worldwide $10.5 trillion by 2025.

Social engineering has become one of the most prevalent attack vectors, with almost all (98%) cyber-attacks having a social engineering element.

How to Prevent Baiting and De-Risk Your Company

Reducing the risk of Baiting is complicated because the attackers use human behavior as a weapon. Using a mix of education and technology provides the best way to mitigate the insidious and complex nature of baiting attacks:

Policies

Robust security policies define how your organization handles the complex nature of social engineering. As social engineering covers a broad range of tactics, a policy should encompass the organization's approach to safe internet use, password hygiene, and using USB keys and other removable media.

Education

Security awareness sessions improve employees' recognition of Baiting and other social engineering attacks. Baiting attackers rely on employees and others to be unaware they are being exploited. Security awareness training must be performed to improve employees' awareness of how baiting attacks work. SafeTitan provides interactive and engaging security awareness training that covers all aspects of social engineering tricks.

Some people are more susceptible than others to certain types of social engineering. Therefore, behavior-led security awareness training programs that focus on the individual are more effective. Regular training is also essential as this helps to identify individual strengths and weaknesses over time. Focused training on behaviors at the personal level helps to mitigate the chances of a successful baiting attack.

Simulated baiting attacks are another option in some security awareness training offerings. They should be used as part of an overall security awareness training program. A company sets up fake baiting attacks to demonstrate the types of vectors used to socially engineer people. Reactive training and gamification of exercises will ensure that training is engaging and effective.

Over time, staff across the workplace will improve their resilience to social engineering. A security culture will become customary for the organization, and successful phishing and other social engineering attacks, such as Baiting, will be prevented.

Technology

The deployment of specific technology solutions should be used alongside security awareness training. These technologies help to mitigate the attack vectors used in baiting attacks. Because baiting takes many forms, using a multi-layered, defense-in-depth approach to security is essential:

DNS filtering: Baiting attacks use techniques such as phishing emails and spoofing websites. A DNS filter will stop an employee from navigating to a suspicious website.

Anti-malware and anti-phishing technologies intercept malware-containing emails or links to malicious websites, providing an essential security layer. Malware-infected attachments, malvertising, or infected websites are used to distribute malware, including ransomware. Anti-phishing and anti-spam solutions like TitanSecure prevent malware infections. TitanSecure offers advanced malware protection to cover even emerging threats like zero-day exploits that lead to malware infection.