USB Baiting Scams in Public Spaces and Workplaces
How attackers leave infected USB drives in car parks, offices, and public areas hoping someone will plug them in and inadvertently launch malware.
Part of: USB Baiting Scams
Last reviewed: 8 June 2026
USB baiting is a social-engineering attack that exploits natural human curiosity. A USB drive — labelled enticingly as 'payroll', 'confidential', or left unbranded — is left in a location where a target is likely to find it: a company car park, a conference lanyard, a hotel corridor, or a university library.
When the finder inserts the drive, it executes malware, a keylogger, or a remote-access tool automatically or through an executable file the curious user opens. The attack requires no network access, no phishing email, and no prior relationship with the victim — just a found drive and an unlocked USB port.
How this scam works on public spaces
Found drives may be pre-loaded with malware that executes via Windows AutoRun (on older systems), a shortcut file that launches a payload, or a HID emulator (BadUSB) that disguises itself as a keyboard and types attacker-controlled commands immediately on insertion. The drive may also contain genuine-seeming files labelled to encourage opening — a spreadsheet, a PDF, a video.
Targeted baiting campaigns against specific organisations have been documented: drives branded with a company's logo are mailed to employees or left in the building's car park. The familiarity of the branding increases the likelihood of insertion.
Common red flags
- Finding a USB drive in an unexpected location such as a car park, office, or public venue
- USB drive is labelled with enticing words such as 'salary', 'confidential', or a company name
- Drive is branded with an organisation's logo but was not distributed through official channels
- Inserting the drive causes unexpected prompts, command windows, or device behaviour
How to protect yourself
- Never insert a found USB drive into any device, regardless of what it is labelled
- Disable AutoRun and AutoPlay on work computers to prevent automatic execution
- Report found drives to your IT security or facilities team rather than keeping or using them
- Use endpoint security software that scans removable media before allowing access
- Educate colleagues about USB baiting as a standard part of security awareness training
How to report it
- Report found suspicious USB drives to your organisation's IT security team
- Report targeted attacks against a business to your national cybercrime authority
- File a report with Action Fraud (UK) or the IC3 (US) if a device was compromised
Frequently asked questions
What happens when I insert a malicious USB drive?
Modern operating systems are more resistant to automatic execution, but a found drive may still contain executable files designed to look like legitimate content. Any interaction — running a file, opening a document — can trigger a payload. The safest action is never to insert a found drive at all.