21 May 2026 • Cyber security
Baiting is one of the oldest and most effective social engineering techniques in cybersecurity, and one of the least talked about. Where phishing exploits urgency and vishing exploits trust, baiting exploits something even more fundamental: curiosity. An attacker places something appealing in the path of a potential victim and waits for human nature to do the rest. Understanding what baiting is, how it works online and physically, and why it keeps working despite broad awareness of cyber threats is the first step to protecting your organisation against it.
What is baiting?
Baiting is a social engineering attack in which an attacker uses a tempting or curiosity-triggering lure, the “bait”, to trick a target into taking an action that compromises their security or their organisation’s security. The bait can be digital or physical, and the goal is always the same: get the target to do something they would not otherwise do.
The term comes from the idea of fishing: placing bait on a hook and waiting. In cybersecurity, the hook is malware, a credential-harvesting page or an entry point into a network. The bait is whatever the attacker believes the target will find irresistible: free software, a found USB drive, an “exclusive” download link, a prize notification.
What makes baiting distinct from other social engineering attacks is that it does not require direct contact between attacker and target. The attacker sets the trap and waits. This makes it scalable, one well-placed bait can reach hundreds of people, and harder to attribute than phishing or vishing.
Internet bait: how online baiting works
Internet baiting takes many forms. What they have in common is that they offer something the target wants, and deliver something the target did not ask for. Common forms of internet bait include:
- Free software or media downloads. A website offers a free version of paid software, a movie, a game or a tool. The download contains malware bundled with or instead of the promised content. The target installs it willingly.
- Prize or reward notifications. Pop-ups or emails announce that the user has won a prize, qualified for a refund, or is the thousandth visitor. Clicking through leads to a credential-harvesting page or triggers a malware download.
- Fake job offers or professional opportunities. Targeted at professionals, particularly via LinkedIn or email, these lures promise opportunities in exchange for clicking a link, opening an attachment or completing a form, which harvests personal or corporate credentials.
- Curiosity-driven links. A link shared via email, messaging or social media that promises something provocative, exclusive or personally relevant. “Your photo has been shared,” “See who viewed your profile,” “Leaked document about [your company].” The target clicks because curiosity overrides caution.
- Fake security alerts. A pop-up warns that the device is infected and instructs the user to download a “repair tool.” The tool is the malware.
Internet baiting works because it meets the target where they already are, browsing, scrolling, downloading, and offers something that feels like a reward, not a risk.
Physical baiting: the USB drop and beyond
Not all baiting happens online. Physical baiting, leaving infected devices or media in places where targets will find them, is a well-documented and consistently effective attack technique. The most common form is the USB drop.
An attacker leaves one or more USB drives in a location where employees of a target organisation are likely to find them: a car park, a reception desk, a conference room, a toilet. The drive is often labelled to increase curiosity, “Salary data Q3,” “Confidential,” “Photos from the party.” An employee finds it, plugs it into a work device to find out what is on it, and executes the attacker’s payload.
Studies have repeatedly shown that a significant proportion of people who find an unknown USB drive will plug it in. The label increases the likelihood further. Physical baiting is effective precisely because it bypasses all the email security, web filtering and endpoint controls an organisation has invested in, and relies only on a person doing what people do when they find something that might be interesting.
Baiting vs phishing vs other social engineering: key differences
| Technique | Primary trigger | Contact required | Channel |
|---|---|---|---|
| Baiting | Curiosity, greed, self-interest | No, attacker sets trap and waits | Online (download, link) or physical (USB) |
| Phishing | Urgency, fear, authority | Indirect (email sent to target) | Email, messaging |
| Vishing | Trust, authority, urgency | Yes, live phone call | Voice / phone |
| Pretexting | Trust in fabricated identity | Yes, direct interaction | Email, phone, in person |
| Quid pro quo | Reciprocity, something for something | Yes, attacker initiates offer | Phone, email |
For a overview of the different phishing attack types, see different types of phishing attacks.
How to protect your organisation against baiting
Technical controls help, disabling USB autorun, blocking untrusted download sources, web filtering, but they address only part of the problem. The core of baiting is a human decision: pick it up, click it, plug it in. The only reliable protection against that decision is an employee who pauses before acting.
That pause is a trained behaviour. Security awareness training that covers baiting scenarios gives employees the mental model to recognise a lure, online or physical, and question it rather than act on impulse. Key habits to build:
- Never plug in an unknown USB device. Regardless of where it was found or what it is labelled. Hand it to IT.
- Question “too good to be true” offers online. Free software, unexpected prize notifications and exclusive downloads are reliable baiting signals.
- Verify before downloading. Employees who check the source of a download against a trusted list are significantly less likely to install malware via baiting.
- Report, do not ignore. A found USB drive or a suspicious download prompt is worth reporting. Normalising that reporting gives security teams early warning.
Baiting exploits what makes people effective in other contexts: curiosity, openness, helpfulness. Awareness training does not try to eliminate those traits. It teaches people when to apply an extra layer of scepticism before acting on them.