Cybersecurity has never been more indispensable than it is today; the internet is shapeshifting every year, not over decades. Social engineering scams exploit both the vulnerabilities that arise from these changes and human psychology.They are responsible for a significant portion of online fraud—attack volume and financial losses. Baiting social engineering scams represent one of the most common attacks used by cybercriminals.
What is Baiting Social Engineering?
Baiting involves luring a victim with an incentive—usually playing on either greed, fear, or curiosity—in order to trick them into sharing confidential information. Baiting relies on impersonation to gain the confidence of victims. Once they establish themselves as a trustworthy source such as the IT team, leadership team, or a supplier, cybercriminals will then attempt to steal money or sensitive organizational data from the targets.
Baiting differs from other forms of social engineering like phishing as it promises the victim a physical or digital item to entice them into actions compromising organizational security. Understanding baiting scams allows your organization to better defend against the threat, which requires familiarity with:
- How baiting scams target organizations
- Baiting scam examples
- How to prepare your cyberdefenses
To further protect against baiting scams, consider consulting with an expert cybersecurity advisor for program assistance.
How Baiting Scams Target Organizations
Baiting scams can take many forms. For example, cybercriminals can plant infected USB drives with legitimate-looking corporate logos in public company spaces like receptions or parking areas. Even cafeterias and co-working spaces are vulnerable if they can access them.
They will then hope that curiosity gets the better of some unsuspecting employee, and they connect the USB drive to their computer, infecting the device—or, worse, the entire network.
However, malicious actors don’t even need physical access to employees to steal sensitive information.
Another baiting social engineering example involves sending enticing or distressing messages containing malicious attachments or downloads to many employees. The 2020 Verizon Data Breach Investigations Report showed that 40% of malware attacks in 2020 used malicious email links, and 20% used email attachments.
Real-Life Baiting Scams Targeted at Organizations
Social engineering—and baiting, in particular—has rapidly grown into one of the most effective ways to target the weakest link in an organization’s security infrastructure: the people.
Employees are often the easiest roadblock to bypass for cybercriminals looking to steal confidential and valuable organizational information. There have been many instances of high-profile organizations falling victim to baiting scams.
1. Deepfake Scam Steals $200k+ From UK Energy Company
A peculiar example of baiting came to light in March 2019 when it was reported that fraudsters tricked the CEO of a UK-based energy company into transferring $243,000 into their accounts.
The criminals used a ‘deepfake’ to impersonate the voice of the CEO’s boss to trick their victim and asked him to transfer funds to a Hungarian supplier within the hour, creating a sense of urgency and preying on his fear.
While this was claimed to be the first use of AI-assisted voice-spoofing scams in Europe, such sophisticated attacks are on the rise. As a result, organizations need to adapt their cybersecurity program to stand a chance against such advanced cyber attacks.
2. CEO Scam Steals $47 Million from Aerospace Parts Maker
FACC, an Austrian plane parts manufacturer, lost almost $47 million when scammers impersonated high-level executives and tricked its employees into transferring funds into their accounts.
The company reported that in late 2015, hackers impersonated their CEO Walter Stephan via a hoax email and managed to convince the firm’s finance department to transfer around $47 million to a hoax account.
The company fired Stephan for ‘severely violating his duties’ and failing to implement sufficient security protocols to prevent such attacks.
This incident could have been avoided if employees had been sufficiently trained to identify and tackle baiting scams. Cybersecurity awareness training services can significantly reduce your organization’s risk exposure towards modern cyber attacks.
3. Whaling Attack Tricks Belgian Bank out of $75 Million
Another ‘CEO Fraud’ was successfully orchestrated against Belgian Bank Crelan in 2016 when its CEO was targeted in a “whaling” attack through a Business Email Compromise (BEC). “Whaling” refers to a social engineering and phishing technique that identifies and targets a specific, high-profile figure within an organization.
Cybercriminals tricked the CEO into transferring around $75 million into their accounts through a hoax email, impersonating high-level executives.
How You Should Prepare Against Baiting Scams
Baiting and social engineering scams prey on human emotions (e.g., distress, fear, and curiosity) instead of targeting physical or digital cybersecurity loopholes.
As a result, organizations need to educate their employees and account for the multiple variables involved with detecting, mitigating, and reporting baiting attacks.
So, how do you prepare against baiting scams?
The Federal Trade Commission (FTC) shares four common signs you can use to identify a scam:
- Scammers will impersonate someone you know or trust.
- Scammers will trick you with the promise of a prize or present a distressing situation to compel you to act.
- Scammers will pressure you to act urgently.
- Scammers will ask you to pay in a specific way or provide unfamiliar account details.
Employees and high-level executives must evaluate suspicious situations according to these basic criteria to identify whether a call or an email conversation is a scam.
Security Awareness Training
Awareness goes a long way in avoiding a potential baiting scam. Always question the source when you’re contacted with a too-good-to-be-true offer or an urgent request for funds, sensitive information, or credential-related matters. Ask for identification from the person or entity on the other end and try to break the sense of urgency that’s typically created by cybercriminals.
At an employee level, you should train personnel on the real dangers of baiting scams and educate them on identifying different kinds. In addition to providing educational programs, you may consider utilizing a phishing simulation service. These helpful training aides send phishing emails to your employees to help them recognize red flags and collect data on who would benefit from more training. While organizations may choose to reward excellent records, training results should never be used to single out or shame an employee.
Craft a Robust Security Program
Educating employees can go a long way in preventing security breaches, but you can not rest easy afterward. First, security training should be updated and performed periodically. Second, your organization needs to have in place a comprehensive and up-to-date cybersecurity program to plug all possible sources of security breaches.
A robust cybersecurity program should be crafted with a multi-faceted approach and cover all aspects associated with the prevention of and response to cyberattacks. Several key elements that your organization’s security program should include are:
- Secure Email relays and user IP authorization controls.
- Configure email security controls (e.g., firewalls, web filters) to screen for malicious emails, attachments, and downloads.
- Implement social engineering testing programs.
- Incident response plans to mitigate damage caused by baiting scams and maintain business continuity.
Additionally, investing in expert advisory (e.g., Virtual Chief Security Officer (vCISO), a managed security services provider (MSSP)) will further shore up your defenses against cyber attacks.
Protect Your Organization, Professionally
Baiting social engineering scams will continually increase in complexity and frequency as technology overall and cybercriminal techniques evolve. As a result, organizations must adopt new and innovative web technologies to counter the threat.
Contact RSI Security today to discover how we can help you train for, detect, mitigate, and respond to all social engineering scams and other cyberthreats.