Baiting
A social engineering attack that lures victims into compromising themselves by offering something enticing — such as a free USB drive, download, or prize — that contains or leads to malware or data theft.
Also known as: USB baiting, physical bait attack, lure attack
Last reviewed: 1 June 2026
Baiting exploits human curiosity and the desire for something free or valuable. The attacker offers an attractive lure — a dropped USB drive labelled 'Salary Data 2024', a free software download of a popular paid application, a promised prize that requires clicking a link, or a physical item like a charger at an airport — and the victim, drawn by the offer, takes an action that exposes their device or data to compromise.
The USB baiting attack is a classic physical baiting technique: infected drives are left in car parks, lobbies, or conference venues near a target organisation. Employees who plug in a found drive to see what it contains may trigger automatic execution of malware. Studies have shown surprisingly high rates of people plugging in found drives even when they have been told about this threat in security training.
Digital baiting includes warez (pirated software) sites that bundle malware installers, fake download buttons that install adware, and social media posts offering 'free' vouchers that lead to credential-harvesting pages. Baiting differs from phishing in that it relies more on greed or curiosity than on fear or urgency. Defence includes disabling autorun on USB ports, using endpoint security that blocks unauthorised removable media, and training employees never to plug in unknown devices.
Examples
- Labelled USB drives with the name of a target company are left in the building car park; several employees plug them in at their workstations, triggering an automated malware installer that gives attackers network access.