Baiting is a deceptive cyberattack technique where malicious actors exploit human behaviour to hoax individuals into compromising their organisation’s security, often without realising it.
For charities, baiting is particularly dangerous. Why? Because they rely heavily on trust, often operate with stretched resources, and may not have in-house cybersecurity expertise. Nonprofit organisations are deeply people-focused, which makes them ideal targets for tactics that prey on curiosity, helpfulness or a desire to do good.
This blog will break down what baiting scams look like in practice and explain why they pose a risk far beyond large corporations.
What is Baiting in Simple Terms and How Does It Work?
Baiting is a form of social engineering that uses something enticing, a “bait”, which might be a free download, a tempting link, a USB drive left in the break room or a tempting online offer, to lure people into taking a dangerous action. Once someone takes the bait, it opens the door to malware, data theft or even a full-scale breach.
This method exploits everyday human instincts, curiosity, helpfulness, or a desire to gain something valuable, all without requiring sophisticated hacking tactics.
Understanding the Different Types of Baiting
In cybersecurity, baiting takes many forms, each exploiting different vectors, but all sharing one thing in common: they capitalise on human error. Let’s break them down, with concrete examples, research insights, and practical guidance for charities.
Clickbait
Clickbait in a cyber-security context refers to sensational or misleading headlines that entice users to click, often through a curiosity gap. These links may promise jaw-dropping news, free gifts, or urgent alerts, but behind them lie malware, credential harvesters, or phishing scams. The goal is to manipulate attention, not inform. Modern clickbait tends toward emotional manipulation, used not just by media, but by cyber-criminals seeking to gain access to your network
Malvertising
Malvertising (malicious advertising) occurs when attackers install malware into legitimate ad networks. Legit ads on trusted sites can become vectors for drive-by infections, sometimes even without any user click. A complex ecosystem involving advertisers, networks, and publishers unwittingly delivers harmful code to end users
Malwarebytes reported a staggering 42% month-on-month growth in US malvertising incidents in autumn 2023, with a further 41% rise between July and September.
Spear Baiting
Spear baiting takes clickbait or malvertising further by targeting specific individuals or organisations. Attackers conduct reconnaissance, such as researching your projects or partnerships, to tailor their lure: an email titled “Urgent Grant Update for [Your Charity Name]” or “Your Q4 Donor Report Inside.” Once clicked, the payload might carry malware or phish credentials.
Physical Baiting
Physical baiting remains effective and terrifyingly simple. It involves leaving malicious USB drives in common areas, with labels like “Staff Salaries Q3” or “New Donor List.” Harmless curiosity can lead to malware installation when someone plugs it in.
Real-World Example of Baiting in Cybersecurity
Real-world incidents bring the cyber threat of baiting into sharp relief, and underscore how even seemingly innocuous actions can deliver severe consequences.
University USB Drop Experiment (2016)
A striking real-world example comes from a 2016 academic study at the University of Illinois: researchers dropped 297 USB drives across campus (including locations like parking lots and lounges) with files disguised as PDFs or exams. The results were telling:
- 98% of the drives were picked up.
- 45% were plugged in.
- at least one file opened.
- Some were connected in under six minutes.
Another Pentagon-related summary testified that in the same experiment, 20% of finders plugged in the drive and interacted with its content, while only 16% scanned the drive with antivirus software before opening files.
These figures reveal just how quickly and effectively a baiting attack can succeed, often long before any IT safeguards can respond.
Why Baiting Works
- It targets people, not systems. Cybersecurity tools like antivirus software and firewalls focus on cyber threats to systems, but baiting preys on human behaviour. Someone may plug in a USB left in the staff room “just to check whose it is,” bypassing technical protections entirely.
- It exploits trust and goodwill. Users aren’t acting recklessly; many engage with the device out of a genuine desire to help or simply out of curiosity. This is especially true in charities, where staff often perform numerous roles and may not receive extensive cyber training.
- It’s quick to succeed. The University of Illinois study showed how rapidly a device can be used, first connection in under six minutes, indicating a very narrow window for detection.
- In the case of spear baiting, messages feel legitimate and time-sensitive, leading staff to act quickly without questioning the source.
The Consequences of Cyber Baiting for Charities
Even a seemingly small misstep can spiral into serious consequences for a charity.
1. Operational Disruption
When baiting succeeds, charities can be locked out of systems or their website defaced, leading to disrupted core services and communications. For instance, an NGO’s website was redirected to a marketplace and went offline for the winter holidays. Without a backup, it took nine months to rebuild and restore operations.
Takeaway: Regular backups and disaster recovery plans can prevent months-long downtime.
2. Financial Losses and Rising Incident Rates
In 2024, around 32% of UK charities experienced a cyber attack, with average direct costs per incident around £460. These numbers likely underestimate the issue, as indirect costs, such as diverted staff time and donor erosion, are harder to quantify but equally damaging.
Takeaway: Even frequent low-value incidents can aggregate into a critical drain on resources. Cyber hygiene and small investments in defences offer high ROI.
3. Data Exposure and Donor Data Breaches
Sensitive donor or beneficiary data can be exposed through baiting-based malware or ransomware. In one case, the ransomware group LockBit stole data from a telemarketing firm that served charities, compromising 50,000+ donor records and over 320,000 documents, shaking trust across 70+ charities.
Takeaway: Limit vendor access, enforce data encryption, and vet third-party data handling.
4. Reputational and Regulatory Harm
Once public, a breach can devastate a charity’s credibility. Regulatory bodies like the ICO must be notified within 72 hours, or charities face fines, not to mention the lasting loss of donor confidence.
Takeaway: Prepare incident response plans that include prompt legal and communication protocols.
How Charities Can Spot Baiting Scams and Stay Protected
Some actionable steps to protect your charity from baiting threats are:
Encourage a “stop and think” culture
Encourage staff and volunteers to think before plugging in a USB, clicking a link, or downloading a file, especially if unsolicited and train every staff member to verify unexpected links by hovering over the link (to see the destination URL).
If a USB or download seems out of place, ask: “Who sent this, and why?” Determine a policy where unknown USBs are handed to IT or deleted, not inserted.
As the UK’s National Cyber Security Centre (NCSC) notes, training and simple practices can reduce exposure to social engineering attacks by up to 80 %.
Disable Autorun and Control Removable Media
Where possible, disable auto-download features, or restrict third-party ads via DNS filters or ad-safe settings. Pair this with policies that block unauthorised USB use or require antivirus scanning before use.
Run Regular and Realistic Awareness Training
Invest in security awareness training that includes real-world scenarios, like the University of Illinois USB experiment (98 % picked up, 45 % plugged in devices), to show employees how quickly breaches can happen and help them recognise baiting attempts.
Consider integrating interactive sessions every six months, incorporating quizzes, survivor stories, and simulated “baiting” scenarios.
Use Technical and Behavioural Tools in Tandem
Simple tools like ad-blockers and allow-lists can block malicious adverts (malvertising) and suspicious file access, accompanying behavioural defences.
Encourage browser extensions, enforce allowlisting for apps, and restrict admin privileges to reduce attack surface.
Strengthen Password Policy and Access Control
Limit users to non-admin accounts for day-to-day tasks and enforce strong, unique passwords, using passphrases like three random words, as recommended by the NCSC. Also, ensure your charity adopts multi-factor authentication (MFA) to drastically reduce account compromise.
Back Up Data and Maintain a Response Plan
Ensure regular offsite or cloud backups are in place to mitigate a baiting-based ransomware attack. Also, have a proven incident response plan that covers identification, reporting, and recovery. Keep backups tested, and run tabletop exercises to rehearse breach scenarios.
Consider a Cyber Essentials Certification
Cyber Essentials provides a clear, government-backed framework for implementing a baseline of security measures. This is a cost-effective way for charities, which often operate on limited budgets, to protect themselves against the most common cyber attacks. Cyber Essentials also signals commitment to donors and partners.
Monitor Third-Party Risks
Ensure that vendors, such as fundraising platforms or IT support providers, are assessed for their cyber hygiene. Only 23 % of charities use security monitoring tools.
Ensure to include vendor resilience in contracts, enforce encrypted data transfers, and limit vendor access rights.
Conclusion
As we’ve discovered, baiting works because it doesn’t need to break through firewalls, it simply needs to exploit human behaviour. Whether it’s a USB stick left near your reception desk, a malvertising pop-up offering “free donor software,” or a cleverly crafted email tailored to your latest grant, these attacks evade even the best technical defences when people aren’t prepared.
For charities, the stakes are particularly high. You’re not just shielding internal systems, you’re safeguarding sensitive beneficiary information, financial data, donor trust, and the continuity of services that communities rely on.
Unfortunately, many charities still believe they’re “too small to be a target,” when their limited resources and high-trust environments make them ideal victims.
The good news is that baiting is avoidable.
From understanding the different types of baiting to spotting real-world red flags and building strong, proactive defences, your team has the power to change the outcome.
At Qlic, we’ve helped hundreds of charities take control of their cybersecurity, providing clear guidance, hands-on support, and a genuine understanding of your mission.
Whether you need a one-off review or a fully managed IT security strategy, we’re here to help you stay safe, stay focused, and keep doing what matters most.
Do you want to learn how to improve your charity’s current cybersecurity posture?
Cyber Baiting: A Charity FAQ
What is the difference between baiting and phishing?
While both baiting and phishing attacks are types of social engineering, they use different tactics to achieve the same goal: tricking someone into giving up sensitive information or access.
- Baiting involves offering something enticing, such as a free download, USB drive, or software, that secretly delivers malware or gives attackers access once the victim interacts with it.
- Phishing, on the other hand, relies on impersonation and urgency, for example, an email that looks like it’s from a bank, supplier, or colleague, asking the recipient to click a link or provide login credentials.
Pretexting vs Baiting
Pretexting is another form of social engineering, but it focuses on manipulating trust through a fabricated scenario. The attacker creates a believable story to extract confidential information, often by impersonating someone with authority or a valid reason to request access.
- Baiting offers a physical or digital lure to tempt someone into triggering malware.
- Pretexting builds a false narrative, like pretending to be an IT technician, funder, or partner, to extract information voluntarily.
What is an example of bait and switch in cybercrime?
Bait and switch in cybercrime refers to deceiving a user by offering something legitimate (the bait), and then secretly replacing it with something malicious or unwanted (the switch).
- A common example is an online ad offering a free tool or service. When the user clicks, they’re taken to a malicious site or prompted to download malware.
- Another instance involves installing legitimate software that is later updated with spyware or keyloggers in a silent background process
