← Back to BlogEmerging Threats

USB Drop Attacks: The Physical Phishing Trick You've Never Heard Of

USB Drop Attacks: The Physical Phishing Trick You've Never Heard Of

Most cybersecurity threats arrive digitally — via email, SMS, or a dodgy website. But there's a physical attack vector that exploits our natural curiosity in a very analogue way: the USB drop attack.

What is a USB drop attack?

A USB drop attack involves a criminal leaving a malware-infected USB drive in a public place — a car park, a lobby, a conference table, a café near a business — hoping someone will find it and plug it into their computer.

The drive might be labelled with something enticing ("Payroll Q4," "Confidential," "Photos") to increase the likelihood of someone plugging it in out of curiosity. When they do, the malware installs automatically — no click required in many cases.

Does this actually happen?

Yes. Research studies have found that USB drives left in public parking lots have been picked up and plugged in by staff at alarming rates — some studies found rates as high as 45-98%. One study found that a significant number of people would plug in a found USB, especially if it appeared to have been dropped accidentally.

Malicious actors have used this technique to compromise organisations ranging from hospitals to government agencies.

What happens when you plug in an infected USB:

  • Malware installation: The drive auto-runs malware that installs a backdoor, keylogger, or ransomware
  • HID spoofing: Advanced "BadUSB" devices can masquerade as a keyboard and type commands automatically — before you've even opened any files
  • Credential theft: Keyloggers capture everything you type, including passwords

How to protect yourself:

  1. Never plug in a USB drive you found or weren't expecting. Full stop. If you find a USB drive, hand it to building security or throw it away. Don't plug it in to "see what's on it."
  1. Disable autorun on Windows. This prevents USB drives from automatically executing code. IT administrators can enforce this via Group Policy.
  1. Use endpoint security software that scans connected USB devices.
  1. Have a clear policy. Your business should have a written policy stating that found or unverified USB drives must never be connected to company devices.
  1. Brief your staff. This is one that people genuinely haven't heard of. A 5-minute mention in a team meeting can prevent a significant incident.

The curious mind is the target

USB drop attacks work because we're inherently curious and helpful ("someone must have lost this"). Knowing the attack exists turns curiosity into caution.

Keep expanding your security awareness at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →