Baiting: Understanding This Type of Social Engineering Attack

If you’ve been staying up to date with the latest information in the phishing threat landscape, then you’ll know what social engineering is. For those who haven’t heard this term before, it is a type of phishing attack that manipulates human nature to get people to click malicious links. An example would be receiving a fake message from the Post Office claiming there’s a problem with a delivery.

The COVID-19 pandemic made online shopping a popular choice for many, and postal or delivery services have always been notorious for losing packages. So getting a message like this will often have people clicking on a link they normally wouldn’t. Now baiting is the type of socially engineered attack that uses the lure of a false promise to overcome people’s natural caution.

What is baiting and how is it different from phishing?

You’ve probably gotten an email with a headline like:

'Hooray!! You are the lucky winner of [insert something that will tempt people here]!!'

If you read the email, it will claim that you’ve won a prize of some sort from a site that you’ve never heard of or used in your life. Or it may claim to be from a more common site like Facebook or PayPal and offer you a reward for doing something you’ve never done.

Most people have grown wise to these types of baiting scams though and rarely click the link to download the free thing or claim the prize. This means malicious actors have had to get smarter with their attacks. And so these days, the most common form of baiting will use physical media like a USB thumb drive or a digital audio player (aka an iPod or other MP3 player).

This ‘trojan horse’ type of baiting takes advantage of three different human traits and is a surprisingly effective way to get malware onto a corporate network. In fact, according to a paper published in 2016, as much as 50% of people will plug a USB device they found somewhere into one of their devices.

And with many companies adopting a remote work policy, connecting these dangerous drives to a home computer is as dangerous to your corporate network as it would be if your employee plugged it into their computer at work.

Types of baiting attacks to watch out for

Implied authority

While it has been a long time since anyone fell for the ‘you have an unknown rich relative who died’ phishing scam, brand impersonation is a tactic that many still fall for. You expect to get emails from Facebook, Spotify, PayPal and others, so you’re more inclined to trust an email that claims to be from one of those sources.

Some take this further by impersonating an agency or someone seen as an authority figure. For example, during tax season, there are phishing emails that claim to be from the IRS in America or the ATO in Australia. They’ll bait you by claiming that you’ve earned a refund on your taxes and to ‘click here’ to claim it.

With the physical media version, this could take the form of a USB device that has been engraved with a company logo or just has a sticker with a company logo on it. It looks legitimate, so people automatically assume that it is legitimate. Sometimes malicious actors will go further and send a malicious USB as part of a gift package, because who thinks that someone would spend money to steal money?

Taking advantage of people's goodwill

According to the study mentioned above, the majority of people who plugged in a USB device they found somewhere did it because they wanted to return the device to the person/company that lost it. Thumb drives aren’t exactly cheap, and they’ll often hold important documents such as work presentations or even school projects.

When the USB device in question happened to be attached to a set of keys, it was even more likely for someone to go that extra mile and try to return the device. Everyone shares the fear of being locked out of their home or car, thanks to misplacing their keys while they’re out and about. And when there happens to be a file called 'resume' on the device, something that has a phone number and email address – of course, the person who found it will open it!

Playing on people's natural curiosity

Humans are a curious bunch, and when presented with an opportunity to snoop – they tend to take full advantage. So while people are most likely to open a file labelled Resume, if there happens to be a file labelled ‘Family vacation photos’, many wouldn’t be able to resist the urge to take a peek. If a malicious device has been represented as a company device, a file labelled ‘Employee Payroll’ would be equally tempting.

Protect your company against baiting with security awareness training from Phriendly Phishing

The most effective defence against any type of phishing or social engineering attack is to ensure that you and your employees are educated. With award-winning cyber security and phishing simulation training, you can strengthen the weakest link in your cybersecurity network. Human error was responsible for 41% of business data breaches in 2021, but by making sure your employees know how to spot malicious messages (and malicious devices), you can prevent these kinds of mistakes.

Contact Phriendly Phishing to find out more about the range of cyber security courses we have to offer and how we can help your company improve its defenses against phishing and other types of security risks.