What Is Baiting? (& 6 Actions To Take To Avoid It)

As a business leader, you understand that your IT infrastructure is important. You have invested in technology that positions your business for success. You’ve put security measures in place to keep your data safe. But, you know that risks still exist. You want to minimize them. 

Social engineering tactics are designed to trick your employees into providing access to sensitive information. One of the security risks you need to understand and protect against is a social engineering ploy known as baiting. 

Don’t panic.

There are a lot of social engineering ploys out there and it’s hard to keep them all straight. I work at an IT service provider and customers ask us about social engineering frequently. Don’t worry though, I’m not writing this article to convince you to work with Kelser or to tout the benefits of managed IT services. 

We understand that not everyone is an IT expert, so we publish articles like this that include all the information you need without bogging you down in technical jargon.

In this article, I’ll provide a straightforward explanation of what baiting is, who it targets, how it works, what it looks like, how to spot it, and how to avoid it. 

What Is Baiting? 

People who enjoy fishing know that the better their bait (or lure), the more likely they are to land the big catch. 

In social engineering terms, baiting is a tactic in which a perpetrator provides a link (the bait) that piques the user’s curiosity or appeals to their desire for money or power. In return, the outsider hopes the user will take an action that provides an opportunity to infect a network or system with malware and gain access to sensitive information. 

Who Is Targeted In Baiting Schemes? 

Everyone who uses electronic media is a potential victim. 

Age is not a discriminator. Experience is not a discriminator. Everyone from young people to business professionals to senior citizens (and everyone in between) can be a victim of a baiting scheme. 

No one is immune, but knowledge is power.

What Does Baiting Look Like? 

No matter what form it takes, all baiting campaigns capitalize on human curiosity or greed.

Baiting campaigns can be delivered via a variety of devices and platforms including social media, ads, email, external storage devices (like flash drives), and text messages. 

In the not-so-distant past, a baiting campaign may have promised riches from a foreign dignitary. Nowadays, most people would recognize that as a ploy of some sort. They might not know it is baiting, but they’d probably not be likely to click on the link. 

But what if you receive an email that includes what looks like a link to salary ranges for co-workers, or a text link promises you a deal on the latest smartphone? What if you find a random flash drive left in the parking lot or the break room?

Curiosity would drive most of us to want to know more. These are all examples of baiting schemes. And, all of them are designed to exploit human curiosity. 

How To Spot Baiting

As with other forms of social engineering, certain telltale signs can help you recognize a baiting attempt. 

1.  Any links you receive electronically should be treated suspiciously. Re-train your brain to hesitate before you click on any link.
   
   For example, just because an email looks like it comes from someone you know doesn’t mean it does and that the link is harmless. If you know the sender, reach out to them (via the phone or a separate email) to verify that the link is from them and that it is safe to open.
   
   A word of caution:  This may go without saying, but don’t simply reply to the message you’ve received, as a response from you may go directly to the bogus person who contacted you in the first place. If you know the “sender” contact them via another means (phone or a new email) to verify that they sent you a link and that it is safe to open.
   
   Don’t click on any electronic link without considering the implications.
   
2. If you come across an electronic form of communication (email, text, or external storage device) that tempts you to take action, take a minute to listen to the voice of reason in your head before clicking or plugging in an external device. 

The reward will likely not be worth the risk. Re-train your brain to be cautious. 

Remember the old adage: If it sounds too good to be true, it probably is. (And, it may be dangerous as well.)

6 Actions You Can Take To Avoid Baiting

There are numerous steps to take that will help your organization avoid baiting. Here are some to take immediately: 

1. The best advice that everyone can follow immediately is to stop and think before clicking on links or plugging an unknown flash drive into company-owned equipment.
   
   
2. Many organizations have policies that prohibit certain actions (such as plugging in external devices). Make sure you understand the policies that apply to you. (And, if your business doesn’t have them in place, start working on them today!)
   
   
3. In addition, keep antivirus and antimalware software up to date. This won’t protect you from everything, but it is a very good place to start. The threats and tactics change often, so it’s important to have the latest tools in place.
   
   
4. We all have a sixth sense; listen to it! If something looks suspicious, check before you take action. Retrain your brain and trust your gut!
   
   
5. Make sure to back up your data on your devices often. Know how to access it, so that when something happens, you will be able to restore your data more quickly.
   
   
6. Offer cybersecurity awareness training to employees so that they know the threats and will have security responses top of mind. Read this related article:  3 Topics All Cybersecurity Awareness Training Must Include.)

Next Steps To Protect Yourself From Baiting 

You’re already in a better position to protect yourself simply as a result of reading this article. 

Now you know that baiting is a social engineering ploy perpetrators use to try to appeal to human curiosity and greed, with the ultimate goal of installing malicious software and gaining access to sensitive information. 

You know that anyone (no matter their age or experience) can fall victim to baiting.  

You also know what baiting looks like and how to recognize it as well as 6 important steps to take today to avoid it. 

This knowledge will help you protect your organization. 

Some IT service providers provide cybersecurity awareness training as part of a managed services offering. We know that managed IT isn’t right for every organization, but if you are considering outsourcing your IT, managed services might be a solid solution.  

Find out more about managed IT by reading this article: What Does A Managed (IT) Service Provider Do? (Essential & Premium Services)

Whether you ultimately decide that managed IT is right for you or not, use the information outlined above to educate your workforce about phishing and how to recognize and avoid it. We publish articles like these because Kelser is committed to transparency and providing the information you need to keep your IT infrastructure safe.