Have you ever received a suspicious email? The kind of email that might say you’ve won some money, or maybe even an email from a “family member” or “friend” telling you to buy an amazing product, by simply opening the attached file or clicking on the link they helpfully provide?
These are examples of baiting, a tactic used to trick people into giving their personal data or information (such as bank details) to malicious, unsafe sources.
Some baiting tactics are very easy to see, however, there are some that are very clever and if you aren’t careful, you could be caught out.
What is baiting in social engineering?
Social engineering is the process baiting attackers use to hack into your company’s software, breaching its data and computer systems. These are the three steps they take to get your information:
- For a targeted attack on an individual, the social engineer (or baiting attacker) researches online and collects as much information as they can on their target, such as their name, social media accounts and interests. For a general attack, assumptions about how a group of people might respond to a provocative false approach is made, for example, fear or excitement.
- With this knowledge in mind, they bait the victim or victims by pretending to be someone they’re not. While using this identity, they will try to manipulate the victim to share their personal information
- Once the baiter has socially engineered the situation to get what they want from their victims, they will have all the information they need to access personal or sensitive data
How does baiting work?
Baiting, as the name suggests, is designed to lure their victims in with something that will appeal to them, or catch their interest to the point of pursuing the bait to find out more. A bit like bait on the end of a fishing rod, it looks tasty but isn’t good for the fish! There are a few common baiting attacks you should watch out for.
Abandoned USB
A bait attacker will leave a malware-infected USB for people to find. This is in the hope that they will plug it in, perhaps to try and find the owner or to see what’s on it. Whatever their motivation may be, if the malware-infected USB is plugged into a computer, the infectious malware can spread silently through the computer system, damaging it and accessing information to target people in their contacts.
Phishing
This may be the most commonly known baiting attack. Attackers may take on different identities such as a family member, friend, co-worker or even a technical support assistant, to gain your trust. The phisher can find your contacts once they have hacked into your email account. Examples of baiting in these areas have included a scammer pretending to be a child, reaching out to a parent asking for money to help them get back home; a contact sending a link and telling you to click it for a reward or a co-worker asking you to phone them on the attached phone number in a work email.
Quid Pro-Quo
In this baiting attack, the attacker contacts their victim asking for something and offering something to them in return. A common example of this is the bait attacker pretending to be a member of IT support, calling around a company until they can find someone with a problem who needs fixing. When they find their victim, they then give them instructions that put malware into the victim’s computer, compromising it and making its private information available for the attacker to access.
How to Deal with a Baiting Attack
So much of our lives are online, which means you may have encountered this kind of scam before. However, you may still be uncertain of how to deal with it safely and effectively.
Educate
Educate yourself on baiting attacks. Learn what’s out there and how to avoid the attacks. By making yourself aware of existing scams and how they work, you will be better equipped to recognise other baiting attacks that may have come your way and know how to deal with them. Reading this article is a great start!
Be vigilant
Watch out for suspicious features in a baiting attack, such as awkward or bad grammar; low quality or slightly altered logos on websites; urgent or emotional requests; and random offers of help online.
Ask questions
Don’t be afraid to question something. If you’ve received a message from someone in your contacts, but their writing voice doesn’t sound like them, or what they’re offering sounds too good to be true, google it so you know. Try and find a different way of contacting them, which you know has worked in the past, for example, a different email address, phone number or platform, such as WhatsApp.
Report
Report the attack and block the sender. If you’ve received a baiting attack in your work inbox, then report it to your IT team, so they can stop your co-workers from receiving similar emails if they haven’t already. They can also put out a group email to everyone alerting them of the attack, once they have confirmed it is one. If it’s in your personal email or text messages, simply block them and mark them as spam.
Disable autorun
Disable autorun on your computer. Autorun runs programs on a device as soon as you’ve plugged it in, potentially allowing baiting attacks into your computer.
Don’t use unknown devices
Don’t plug in any unknown devices into your laptop. If you’re concerned that someone has truly lost their USB, you can leave it in the place you found it. You can keep your own USB safe and returnable by labelling them on the outside, rather than putting your personal details on a document on the stick.
Keep your business secure from baiting attacks
Now you know a little more about baiting attacks and how to protect yourself against one, we want you to know that Mintivo are here to help. We have experience of dealing with many different types of cyber attack, and we can help to protect your business from their dangers. If you would like to learn more about cyber security we would be very happy to help. We have a team of experts who can advise on how best to keep your business safe from baiting attacks and other cyber issues, please get in touch. We look forward to hearing from you.