Baiting: What it is, common lures, and how not to take the bait

Baiting

What it is

Baiting is a social-engineering trick: attackers dangle something tempting—an “urgent” work file, free software, a giveaway—to make you install malware yourself. The lure feels legit; the payload hides in the download.

How it works

  • A believable hook (HR forms, invoices, prize emails, “codec needed” pop-ups).

  • You click → a file or installer runs → malware slips in quietly.

  • The malware steals logins, plants backdoors, or encrypts files.

Common lures

  • “Payroll_update_Q3.pdf.exe” or macro-heavy docs

  • Fake download buttons or “update your player” prompts

  • USB drives “found” near the office (curiosity bait)

  • Ads for cracked/pro “free” software

Spot the signs

  • Files asking to “Enable macros” or bypass browser warnings

  • Unwanted installers bundled with a needed tool

  • New extensions, startup items, or sudden redirects after a click

If you took the bait

  1. Disconnect from the internet.

  2. Run a full anti-malware scan and remove findings.

  3. From a clean device, change passwords and enable MFA.

  4. Tell IT/Security if this is a work device; watch accounts for alerts.

Prevent it

  • Download only from official sources; ignore “free” cracks.

  • Don’t enable macros unless you must (and trust the sender).

  • Verify sender and domain; when unsure, call to confirm.

  • Keep OS, browser, and extensions updated; use real-time protection.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Phishing

        What it is Phishing is a scam where someone pretends to be a trusted person or service to trick you into giving up passwords, card numbers, or other sensitive data. It shows up in email, texts, social DMs, and look-alike websites. For a quick ...

      • Social Engineering

        What it is Social engineering is tricking people into doing something they shouldn’t - like clicking a link, sharing a code, or paying a fake invoice. Instead of hacking computers, attackers hack trust with stories that feel urgent, helpful, or ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...

      • Domain Spoofing

        What it is Domain spoofing is when attackers pretend to be a trusted website or sender by using a look-alike address - think paypaI.com (with a capital “I”), or emails that seem to come from your bank. The goal is to trick you into entering ...