Baiting is a social engineering attack in which an attacker leaves some sort of physical media in a location where someone else might pick it up and use it. This exploits people's tendency to be curious about objects and situations that are out of the ordinary or that catch the eye in some way. The most common form of baiting involves leaving a USB thumb drive in a parking lot or some other public area near a workspace. An employee might notice the USB drive lying on the ground, pick it up, and plug it into their computer. Unbeknownst to them, the drive has been pre-loaded with malicious software that compromises the employee's computer.

These kinds of attacks can rely on the victim's computer having autorun enabled so that the malicious code is executed immediately. The malware, depending on its nature, may then spread outward and start infecting other hosts on the network. Even if autorun is not enabled, the attacker can still entice a user to run the malicious code on the USB drive by disguising it as something fun (e.g., a video game), useful (e.g., an antivirus program), or mysterious (e.g., files with cryptic names).