The scenario clearly describes baiting, a physical social engineering technique covered in CEH under human-based attacks. Baiting involves enticing a victim with something appealing or intriguing, such as free software, confidential documents, or valuable information, in order to trick them into compromising security. In this case, the USB drive is deliberately labeled “Confidential 2025 Budget Plans,” which is designed to trigger curiosity and urgency. The attacker relies on human psychology, specifically curiosity and perceived importance, to motivate the target to plug the device into a company system.

Unlike phishing, which typically occurs through email or electronic communication, baiting often involves physical media such as USB drives left in public areas like parking lots or lobbies. CEH materials highlight that attackers may preload such devices with malware that executes automatically when inserted, granting access to the internal network. Even though this experiment uses a harmless tracking script, the methodology mirrors real-world attacks where malicious payloads could establish backdoors, exfiltrate data, or deploy ransomware.

Hoaxes spread false warnings to create panic but do not necessarily require interaction with physical devices. Pretexting involves fabricating a scenario or identity to elicit information directly from a target through conversation or interaction. The use of a strategically placed USB labeled with enticing information fits the definition of baiting precisely. This test reinforces the importance of policies prohibiting unknown removable media usage and promoting employee awareness training.