Baiting: What it is, common lures, and how not to take the bait

Baiting

What it is

Baiting is a social-engineering trick: attackers dangle something tempting—an “urgent” work file, free software, a giveaway—to make you install malware yourself. The lure feels legit; the payload hides in the download.

How it works

  • A believable hook (HR forms, invoices, prize emails, “codec needed” pop-ups).

  • You click → a file or installer runs → malware slips in quietly.

  • The malware steals logins, plants backdoors, or encrypts files.

Common lures

  • “Payroll_update_Q3.pdf.exe” or macro-heavy docs

  • Fake download buttons or “update your player” prompts

  • USB drives “found” near the office (curiosity bait)

  • Ads for cracked/pro “free” software

Spot the signs

  • Files asking to “Enable macros” or bypass browser warnings

  • Unwanted installers bundled with a needed tool

  • New extensions, startup items, or sudden redirects after a click

If you took the bait

  1. Disconnect from the internet.

  2. Run a full anti-malware scan and remove findings.

  3. From a clean device, change passwords and enable MFA.

  4. Tell IT/Security if this is a work device; watch accounts for alerts.

Prevent it

  • Download only from official sources; ignore “free” cracks.

  • Don’t enable macros unless you must (and trust the sender).

  • Verify sender and domain; when unsure, call to confirm.

  • Keep OS, browser, and extensions updated; use real-time protection.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Phishing

        What it is Phishing is a scam where someone pretends to be a trusted person or service to trick you into giving up passwords, card numbers, or other sensitive data. It shows up in email, texts, social DMs, and look-alike websites. For a quick ...

      • Social Engineering

        What it is Social engineering is tricking people into doing something they shouldn’t - like clicking a link, sharing a code, or paying a fake invoice. Instead of hacking computers, attackers hack trust with stories that feel urgent, helpful, or ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • Domain Spoofing

        What it is Domain spoofing is when attackers pretend to be a trusted website or sender by using a look-alike address - think paypaI.com (with a capital “I”), or emails that seem to come from your bank. The goal is to trick you into entering ...

      • Cybercriminal

        What it is A cybercriminal is someone who commits crimes using computers or the internet—either as the weapon, the target, or both. Think data theft, online scams, and break-ins that happen through screens instead of doors. What they do (common ...