USB Baiting Scams

USB baiting — also called USB dropping — is an attack in which a scammer or attacker leaves USB drives in locations where they are likely to be found and plugged in by a curious or well-meaning person. The drives are loaded with malware: when the drive is inserted into a computer, the malicious software executes and infects the device. The attack exploits one of the most reliable human impulses — curiosity about a found object and the desire to identify its owner.

The drives may be left in car parks, offices, reception areas, libraries, conference venues, or anywhere the intended target is likely to be. Sometimes they are placed inside envelopes addressed to a person or an organisation. Sometimes they are labelled with enticing descriptions — 'salary information', 'redundancy list', 'private photos' — to increase the likelihood that someone will plug them in and open the files. Other times they are made to look like branded merchandise from a real company or event, suggesting they are legitimate items rather than threats.

When the drive is inserted, the malware executes. On older systems, this could happen automatically through the AutoRun feature. On modern systems with AutoRun disabled, the malware typically relies on the person opening a file on the drive — which is almost inevitable once the drive is plugged in and its contents appear in a file browser. Alternatively, some USB devices are designed not as storage but as hardware attack tools: they identify themselves to the computer as a keyboard and rapidly execute a pre-programmed sequence of commands before the user can react.

The consequences of a USB baiting attack can include ransomware encrypting the device's files, a remote-access trojan giving the attacker persistent access, credential-harvesting software targeting saved passwords and banking details, or lateral movement through a corporate network if the targeted device is connected to one.

The drive is placed where the target is likely to find it. In targeted attacks against organisations, this might be outside a specific company's premises, in the car park, or in the reception area. In less targeted attacks, drives may be scattered in multiple public locations in the hope that any number of people will plug them in.

When the drive is inserted and a file opened, the malware executes. Modern malware on USB drives commonly uses disguised file formats: a document that looks like a PDF or Word file but is actually an executable, or a genuine document that triggers a malicious macro when opened. Some drives contain no files visible to the user but use the drive's controller firmware to deliver a payload directly to the host system before any user action is taken.

Hardware attack variants — sometimes called keystroke injection devices — identify themselves to the computer as a keyboard. Computers trust keyboards implicitly. The device then types a rapid series of commands — opening a command prompt, downloading malware from a remote server, and executing it — within seconds of being plugged in, far faster than a human could prevent.

In social engineering variants, the drive may contain a document that opens normally and appears to be what was advertised — financial data, a contact list, photos — while silently installing a payload in the background. This reduces suspicion because the drive appears to be what it claimed to be.

The attack exploits the near-universal impulse to identify a found object and determine whether it belongs to someone who needs it back. It also exploits professional conscientiousness — an employee who finds what appears to be an external drive near their office feels they should check whether it contains work-related material. Labelling the drive with enticing content titles amplifies both curiosity and the sense of obligation to look. Once the drive is plugged in and files appear, the instinct to open and examine them is difficult to resist.

An employee finds a USB drive in their company car park. It is labelled with something suggesting internal company information. Wanting to determine whether it belongs to a colleague, they plug it into their work laptop. The drive opens and appears to contain a spreadsheet. They open it, which triggers a macro. In the background, a remote-access trojan is installed and connects to an external server. The company's IT security team detects unusual outbound traffic days later and traces it to the infected laptop. Investigation reveals the drive was planted deliberately.

Found this USB near the front entrance — not sure if it belongs to someone here.

USB drive labelled '[company name] employee data' discovered in car park.

Please find enclosed our product information on the attached USB drive.

Complimentary USB drive included with conference registration pack.

The correct response to finding a USB drive in a public location or workplace is not to plug it in. There is no safe way to verify the contents of a found USB drive by connecting it to your own computer — the risk materialises the moment the drive makes contact with your system.

If you find a drive that appears to belong to your workplace, hand it to your IT security team or management. Do not plug it in to identify the owner. If you find a drive in a public location, it can be discarded safely or handed to lost-and-found without being connected to any device.

If your organisation distributes USB drives as promotional items or for legitimate purposes, ensure recipients know in advance that they are coming and what they contain, so employees are not put in the position of finding an unexpected drive and wondering whether it is legitimate.