Baiting: An Exploitation of Human Nature by Cybercriminals
An ingenious strategy known as "baiting" persuades workers to plug in gadgets or click on online links that might have disastrous effects on your company.
Baiting is a social engineering technique where alluring promises are made to entice workers into a trap that might eventually infect their firm's network or steal critical data from it. Several online and offline attacks might employ baiting as a technique.
According to current estimates, 50% of workers click on unconfirmed links in emails, making baiting a common tactic in online phishing and corporate email infiltration.
Offline, one of the most heinous baiting methods, is referred to as the "USB drop," which entails getting the employees' hands-on maliciously programmed flash drives. According to a well-reported survey, over half of those who found an abandoned USB drive ultimately inserted it into a device.?
The security industry has increased its attention on guarding against online social engineering threats in recent years due to the transition to remote employment. However, ignoring physical security would be a mistake.
Criminals are agile and will change their strategies to whatever would increase their chances of success. Physical attacks can become a more appealing attack channel if the security industry concentrates more on bolstering defences against internet attacks. A recent FBI study warned that "malware by mail" vulnerabilities reappear and that dangerous USB sticks are again being transmitted through the postal service.
Baiting Trap No. 1: Using Power
Read Dr. Robert Cialdini's book Influence to learn why social engineering strategies work so well.
He explains six influencing concepts that apply to social engineering, religious cults, and sales. First, relying on authority is one of the most effective influencing strategies. Power (such as legal authority), knowledge (such as technical help), and legitimacy (by portraying an "official" look) may all be used to leverage power.
Phishing emails that pretend to be from the IRS or the FBI exhibit the pretence of authority. Putting a sticker with a corporate emblem on a USB drive and putting it in a location where it's likely to be found by personnel, such as a company parking lot, is another way for a criminal to establish credibility in the real world. The chances of success increase dramatically if the thief spends a few extra dollars on a laser engraving to make it look legitimate.?
Baiting Trap No. 2: goodwill hunting
In the survey mentioned above, most of those who discovered USB drives plugged them in to restore them to their rightful owners. The number of plugins considerably rose when a set of keys were connected to the USB drives. The "Resume" file was the one that was most often accessed, perhaps by people looking for the owner's contact information.
Unfortunately, by using it as an attack vector, this social engineering strategy takes advantage of people's goodwill. This impulse to assist others may also be employed in various ways, such as tailgating into a prohibited area while carrying multiple bulky products and asking staff to unlock a door for you. The internet equivalent of this may be posing as a legitimate charity to solicit money from unwary individuals. [5]
Baiting Trap No. 3: Mystery's Allure
Hard to overlook is a good mystery. According to Dr. Cialdini in another book, the unknown, the unfinished, and the self-relevant are three "magnetizers" that improve social influence techniques. Regardless of the method used, these magnetizers may raise the chance that a social engineering endeavour will be successful.
领英推荐
According to research into phishing susceptibility, adding a sense of mystery to simulated phishing communications considerably boosts the number of clicks.
The "Winter Break Photos" folder was accessed second most often, following "Resume," according to the dropped USB research. People wanted to spy while simultaneously trying to locate the owner of the USB to return it to them. Even the most security-conscious employee will give in if a fallen USB has a label reading "Employee Payroll" on it.
Educating staff about scams
A bad actor may significantly increase their chances of success by using social influence strategies to create legitimacy and appeal to the desire to assist or stimulate an employee's interest. According to a recent Mimecast study, there has been a movement away from in-person training over the last several years. Security personnel should provide in-person training covering the dangers of phishing and attaching USB devices to company-owned computers when feasible. These training sessions will be most helpful if they contain examples of the tricks employed by thieves to trick staff into connecting USB sticks to corporate computers (business logos, alluring labels, connected vehicle keys, etc.).
Teaching staff members what to do if they discover a USB or similar device should be another essential component of awareness training. For example, should they give it to the department in charge of information security? Do they need to report it to Lost and Found? Additional security measures should be made to prevent the receiving department from plugging the identified USB drive into a work computer if a USB drive is sent to a non-information security department.
Technology-Based Defense Against Baiting Attacks
Both online and physical baiting may be avoided with the use of technology.
Conclusion
Employees often unintentionally assist thieves in acquiring access to business resources by being obedient, helpful, or curious. Employees should learn how to prevent scams. Consider including "USB drops" in your awareness training programme in addition to doing phishing simulations as training. Consider sending phoney USB drives in the mail to your company's remote employees to see how they react to them. Criminal strategies are constantly changing. The best defence is to keep lines of communication open between staff and security divisions.
Team Awarenes training!
We are looking forward to helping you build a stronger cybersecurity culture!
GET YOUR ONE WEEK FREE TRIAL NOW!