Baiting Attacks Explained – All You Should Know

The internet is full of opportunities and prizes, though not all of them are what they seem. Threat actors use this situation to bait users into giving away vital information, which could be classified as an attack. So, what’s a baiting attack?

A baiting attack exploits human nature by offering fake prizes and opportunities to steal information or infect devices with malware. These attacks could happen online or offline, and the best way to prevent them is to perform penetration tests to see how many employees would fall for this tactic.

Baiting is as simple as it sounds: a threat actor baits users into giving something valuable away. There’s more to it than that. Understanding how and why it happens it’s key to preventing hackers from being successful when they want to bait you.

Understanding a Baiting Attack

Baiting is an attack that relies on exploiting human nature. It often comes in the way of a prize or an offer that’s too good to be true. That incredible opportunity isn’t real – but an attack in disguise.

Threat actors employ baiting attacks to infect individual users or infiltrate companies. Unfortunately, baiting is rather effective: most untrained employees wouldn’t shy away from free stuff.

For that reason, employees won’t hesitate when they receive an email saying they won a prize or see a pop-up from a malicious site claiming they can get a 90% discount on Netflix. That’s how hackers get you.

At the same time, baiting could happen offline too. Threat actors leave USB drives in the open, hoping people will grab them: studies show almost 50% of people will grab an unknown drive and plug it into their main computer without scanning it.

Why Does Baiting Work?

Baiting exploits human nature. A good hacker knows how to push buttons, whether they want to perform a phishing or baiting attack, and when it comes to the latter, greedy or curious employees are great opportunities to infiltrate a business.

Of course, there’s more than greed to a baiting attack. People often can’t resist something that seems incredible and harmless at the same time. When someone receives an email saying they won a contest, they won’t stop and think about whether they signed up for it – they’ll be happy to claim the prize.

What makes baiting so efficient is also what makes it easy to detect: these attacks often come in the form of something too good to be true, unexpected, or suspicious. Once employees learn to disregard and report these messages, baiting success rates within a company plummet.

Signs of a Baiting Attack

  • Unexpected Prize. A dead giveaway of a baiting attack is being the winner of a contest you never signed up for. It could also come in the way of a pop-up letting you know you won something expensive (e.g., an iPhone) for visiting a website. You’ll click a link to accept the prize and soon have to give away plenty of sensitive information to claim it.
  • Time-sensitive Offer. Hackers know they can’t give you time to think – or else you’d walk away from most attacks from cautiousness alone. For that reason, they’ll put a time restraint on a prize: you only have ten minutes or so before the offer expires. You rush to click any links or download attachments, so you don’t lose the opportunity.
  • Suspicious Link or Attachment. A baiting attack would have no reason to exist unless it’s there to farm your data or infect your device. It always comes with a link or attachment for that reason. Following instructions from an unknown email often results in a catastrophic data breach.
  • Too Good To Be True. A baiting attack relies on a time-sensitive offer of something too good to be true. It has to be mind-blowing, so you don’t have time to think. However, training will give you the tools to take a step back and think, which helps with many attacks, including baiting and phishing.

Is Baiting a Way of Phishing?

Baiting and phishing are different attacks. However, they rely on similar tactics. Baiting attacks come in the way of fake prizes and opportunities. In contrast, phishing happens when a threat actor impersonates an authority figure and pressures you to give information away.

In other words, baiting relies on a happy moment (e.g., winning a contest), and phishing takes advantage of fear (e.g., suspicious bank activity).

That doesn’t mean baiting and phishing are different in anything but execution: threat actors perform both attacks to get sensitive data (e.g., personal information or credit card numbers).

Online baiting and phishing are easy to detect with regular training. That means companies should spend time and money to train their employees, helping them learn basic cybersecurity best practices. This training should also include how to detect offline baiting.

Online vs. Offline Baiting

Baiting could happen online or offline, though results are often the same: a data breach or malware infection. However, the way it happens is different. Online baiting comes via email. In contrast, offline baiting could happen in the middle of the street.

Finding a USB drive on the street is a perfect way to describe offline baiting. You pick it up, thinking today’s your lucky day (which is what threat actors hope for), and you take it home or to the office. You plug it into a device and infect it with malware.

That’s right: hackers often leave USB drives full of malware laying around, hoping for someone to use them. If they want to target a specific company, they leave it nearby, sometimes inside its building. This attack is within the top 5 baiting attacks and is more successful than you think.

Top 5 Baiting Attacks

1. The 100th Visitor

One of the oldest baiting attacks comes in the way of information impossible to check.

You visit a website and get told you’re the 100th visitor (it could be 1000th or more). Fortunately, you’ll get a prize for that!

You could get a $10 gift card or something extravagant like the latest iPhone. Of course, there’s no prize. You’re getting baited for your information.

2. The Prize Winner

Do you know anyone who has won a prize lately? Hardly anyone wins one! What about a prize in a contest you never signed up for? In contrast, that’s more common than you’d think.

Well, it’s not a real contest – and it comes without real prices. However, you probably have your spam folder full of emails letting you know how much money, phones, and so on you’ve won.

Of course, they’re all baiting attacks. You have to fall for one alone to inflict serious damage to yourself, your device, and your company (if you open it from there). It’s always a good idea to delete these messages as soon as you see them.

3. The Free Movie

Another common baiting attack comes in the way of a free movie or streaming subscription. You receive an email from what appears to be Amazon, Netflix, or another website letting you know you received something for free or little to nothing.

It’s obvious that a link is waiting for you at the bottom of that email. You click it and see a seemingly-harmless subscription box waiting for you: it asks for your personal information, credit card number, and so on. Of course, there’s no free subscription.

4. The Lost USB Drive

As you now know, people are not that suspicious of anything they find on the street, whether that’s money or a USB drive. You can test that yourself: leave a drive laying around, and someone will pick it up sooner rather than later.

Threat actors know about that. That’s why they leave infected drives anywhere, waiting for people to plug them in.

Of course, doing such a thing may not return a big profit since you’re not targeting anyone, though hackers know what to do when they want to target a company.

5. The Confidential Report

Hackers know a company’s weakest link is not in infrastructure but in payroll. Employees often take the first chance to see whether they’ll get a salary bump or find out about confidential information.

Leaving a CD or drive labeled as such (e.g., salary raises, confidential information, or similar) is enough for an employee to grab and use it later. Of course, there’s no confidential information inside that drive – but malware.

It’s a classic baiting attack – that can be prevented if you know how.

How To Prevent a Baiting Attack

  • Don’t Click Suspicious Links. The number one rule is to never click on anything you can’t trust. It doesn’t matter if it redirects you to a website or has you download an attachment. You have to avoid it. Never click on anything that doesn’t come from someone you know.
  • Don’t Accept Prizes You Haven’t Signed Up For. Baiting attacks rely on people’s willingness to accept prizes – because everyone loves winning a contest. However, if you haven’t signed up for it, you’re probably winning a piece of malware.
  • Perform Penetration Tests To Check Employee Awareness. Employees are behind almost every data breach a company faces. Hiring a pen tester to see how much they know about baiting attacks and other tactics is necessary to prevent a breach or infection. Real-life tests are the best way to see if someone is willing to grab a USB drive and plug it into their work computer without thinking, among other things.
  • Routine Antivirus Scans. A penetration test will see who may fall for a baiting attack (preventing future ones), though it won’t stop infections that previous attacks may have caused. Doing routine antivirus scans will show if there’s undetected malware roaming around your network, which could redirect employees to malicious websites, making them fall for a baiting attempt.

What To Do After a Baiting Attack?

Identifying the threat, containing the infected devices, and resetting passwords are a must after a baiting attack. You have to figure out the scope of the attack to know how far the response should go.

A baiting attack could have two results: stealing sensitive information from someone (e.g., login credentials) or infecting a device with malware.

In the first scenario, users or employees should reset their passwords. Disconnecting all accounts should be mandatory so threat actors lose access as they lose their stolen credentials.

The second scenario is more complicated. You need to scan your entire network to see where the infection is – and contain it. That may end in business downtime, though it’s necessary to prevent further losses.


Baiting attacks rely on people accepting offers that are too good to be true, often prizes or opportunities. These attacks could happen online and offline. Performing tests to raise awareness and never clicking suspicious links is the best way to prevent these attacks from succeeding.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.