Clever tactics known as baiting encourage employees to click on web links or plug in devices that can lead to catastrophic outcomes for your business.
by Dr. Matthew Canham
- Baiting is a tactic that leverages powerful social influence principles to lure people into traps, both online and in the physical world.
- Online, malicious emails try to bait employees into exposing company information or relinquishing funds.
- Offline, half of people finding a USB drive will plug it into their device, risking the spread of infection.
- It’s important to teach employees how to avoid social engineering both online and off.
Baiting refers a social engineering tactic that promises something enticing to lure an employee into a trap that could ultimately infect their company’s network or steal its sensitive information. Baiting can be used as a tactic for a variety of attacks, both online and off.
Online, much phishing and business email compromise relies on baiting, with recent estimates showing 50% of employees clicking on unverified links in emails. Offline, one of the most pernicious types of baiting is known as the “USB drop,” which involves getting flash drives with malicious payloads into the hands of unsuspecting employees. A well-documented study found that about half of people who discovered an abandoned USB drive later plugged that drive into a device.
The shift to remote work over the past couple years has led the security community to intensify its focus on defending against online social engineering attacks. However, it would be a mistake to ignore physical security.
Criminals are agile and will adjust their tactics to whatever will provide them with the best success rates. It is likely that as the security community focuses more on strengthening defenses against online attacks, physical attacks might become a more attractive attack vector. Indeed, a recent FBI report warned that “malware by mail” exploits are re-emerging, with malicious USB drives being sent through the postal mail.
Baiting Trap #1: Exercising Authority
If you’d like to understand why social engineering tactics are so effective, read Dr. Robert Cialdini’s book Influence. In it, he outlines six principles of influence that apply to sales, religious cults and social engineering. One of the more powerful influence tactics is relying on authority. Authority can be leveraged through power (as in legal authority), through expertise (as in technical support) or by establishing legitimacy (by projecting an “official” appearance).
The pretext of authority is seen in phishing emails that impersonate government agencies, such as the IRS or FBI. A criminal may likewise establish legitimacy in the physical world by placing a sticker with a company logo on a USB device, then dropping it in a place where it is likely to be discovered by employees, like a company parking lot. If that criminal spends a few extra dollars for expensive-looking laser engraving, the chances of success will increase tremendously.
Baiting Trap #2: Goodwill Hunting
In the previously mentioned study, most people who found USB drives plugged them in because they wanted to return them to the owners. When a set of keys was attached to the USB drives, the number of plugins increased significantly. The most opened file was labeled “Resume,” which survey respondents presumably opened to find contact information for the owner.
Unfortunately, this social engineering tactic exploits the altruistic desire to help by turning it into an attack vector. This desire to help others can be used in other ways, such as holding several large packages and requesting help from an employee to open a door as a technique to tailgate into a restricted area. The online parallel to this might be impersonating online charities to receive donations from the unsuspecting.
Baiting Trap #3: The Lure of Mystery
A good mystery is hard to ignore. In another book, Dr. Cialdini discusses three “magnetizers” that enhance social influence tactics: the mysterious, the unfinished and the self-relevant. These magnetizers can significantly increase the likelihood that a social engineering attempt will be successful, regardless of the tactic used.
My own research on phishing susceptibility has found that including a component of mystery in simulated phishing messages significantly increases the number of clicks. The dropped USB study found that a folder labeled “Winter Break Photos” was opened second most frequently, after “Resume.” While people wanted to identify the owner to return the USB, they were also curious and wanted to snoop. Placing a label titled “Employee Payroll” on a dropped USB will tempt even the most security conscious employee.
Teaching Employees to Avoid Scams
By leveraging social influence tactics to establish legitimacy, appeal to the desire to help, or pique an employee’s curiosity, a malicious actor can dramatically improve their odds of success. The past couple years have seen a trend away from in-person training, according to recent Mimecast research. Security staff should (when possible) include some in-person trainings with discussion about the risks associated not only with phishing but also with connecting USB devices to organization-owned machines. These training sessions will be most beneficial when they include examples of tactics used by criminals (company logos, enticing labels, car keys attached to the drive) to lure employees into plugging USB drives into company machines.
Another key point of awareness training should be informing employees of what to do if they find a USB or similar device. Should they give it to the information security department? Should they turn it in to Lost and Found? If a USB drive should be turned in to a non-information security department, then additional precautions should be taken to ensure that the receiving department does not plug the discovered device into a work machine.
Using Technology to Prevent Baiting Attacks
Technology can also help prevent online and offline baiting, and steps include:
- Online: Utilize impersonation protection to block malicious actors from outside your organization who are attempting to impersonate employees. It is also important to protect employees from taking harmful actions when they encounter online baiting attacks like phishing.
- Offline: Whenever possible, disable USB ports on production machines. Alternatively, disable the autorun feature, which allows Windows to automatically launch programs from media devices.
The Bottom Line
Employees often unwittingly aid criminals in gaining access to company resources by being compliant, helpful or curious. Teach employees how to avoid being duped. In addition to conducting phishing simulations as training, consider incorporating “USB drops” into your awareness training program. If your company employs remote workers, consider sending them bogus USB drives through the mail, to learn how they’re handled. Criminal tactics constantly evolve. The best countermeasure is to preserve an open communication channel between employees and security departments.
 Canham, Dawkins and Jacobs (manuscript currently under review)