Baiting

Baiting is a social engineering attack where the attacker leaves malware-infected media — USB drives, CDs, or external hard drives — in locations where targets are likely to find them. The bait might be labeled enticingly ('Employee Bonuses 2026,' 'Confidential') to encourage the finder to plug it into their computer.

When the bait device is connected to a computer, it can automatically install malware, capture credentials, or establish a backdoor. Famous examples include the Stuxnet attack, which used infected USB drives to penetrate air-gapped systems.