Common Baiting Techniques

Baiting is a social engineering technique used by attackers to lure victims into providing sensitive information or performing actions that compromise their security. This article highlights some common baiting techniques and how to recognise them.

1. Lottery Scams

Description:

• Attackers send emails claiming the recipient has won a lottery and needs to click a link to claim the prize.
• Example: "You have won a lottery of $10,000. Click on the link in the email to add that to your Amazon wallet."
• Warning: Always be sceptical of unexpected winnings and verify the source before clicking links.

2. Fake Bank Calls

Description:

• Attackers call victims, pretending to be from a bank, and ask for sensitive information like corporate card details.
• Example: "Hi, I am speaking from MostSecureBank.com. We have to update your corporate card. For that, we need your corporate card details."
• Warning: Banks will never ask for sensitive information over the phone. Verify the caller's identity before sharing any information.

3. Social Media Impersonation

Description:

• Attackers use social media platforms to impersonate auditors or other officials, requesting business information.
• Example: "Hi, I am an auditor from the American government. We have to audit information about your business. If you fail to get audited, you may close your business."
• Warning: Verify the identity of social media profiles and be cautious of unsolicited requests for information.

4. Urgent Credential Updates

Description:

• Attackers send messages urging recipients to update their organisation's credentials, claiming they are expiring.
• Example: "Hey, CEO of XYZ.com, your organisation credentials need some updates. Old credentials are expiring. If you don't update, you'll lose access."
• Warning: Always verify such requests with your IT department before taking any action.

5. Fake IT Alerts

Description:

• Attackers send emails pretending to be from the IT department, claiming malware detection and providing a link to download antivirus software.
• Example: "FROM: IT Team, Malware has been detected in your system. Quickly download the antivirus from this link and run it."
• Warning: Verify such alerts with your IT department and avoid downloading software from unknown sources.

6. Insider Threats via Slack

Description:

• Attackers impersonate company executives on communication platforms like Slack, requesting access to sensitive data.
• Example: "Hey, I am the CEO of this company. Can you quickly give me access to production user data?"
• Warning: Verify the identity of individuals requesting access to sensitive information, especially on internal communication platforms.

Understanding common baiting techniques and being vigilant can help protect you and your organisation from falling victim to these attacks.