Network Brainiacs
Tip #46·Social engineering

USB drops still work.

A USB stick left in a parking lot still gets plugged into company computers. The physical attack is alive and thriving.

You'd think USB-based attacks were history. They're not. A malicious USB stick dropped in a parking lot, mailed as a "free sample," or handed out at a conference still gets plugged into company computers with depressing regularity. Every single penetration test we run that includes a USB drop gets at least one hit.

Why USB is still a live attack

Humans are curious. A USB labeled "Payroll Q4" found in the parking lot — someone wants to know what's on it. A free thumb drive at a trade show — useful, grabbed. A USB mailed to your office with a note that says "review urgent" — curiosity takes over. The stick contains malware, a keylogger, or an HID device that issues keystrokes faster than you can react.

Real-world drops

A penetration testing engagement dropped five USBs in a small firm's parking lot labeled "Bonuses 2026."

Red flag: Three were plugged into company laptops within an hour. All three got a reverse shell. Scope of compromise: everything.

A small law firm received a USB drive in the mail labeled "Case evidence — review urgent."

Red flag: A paralegal plugged it in to check before escalating. It was a BadUSB device that installed a keylogger in three seconds.

The controls that stop it

  • Policy: no USBs of any kind get plugged into company computers without IT review.
  • Technical enforcement via Group Policy, Intune, or MDM — disable USB storage and HID device auto-actions.
  • Turn off autorun / autoplay on all company devices.
  • Deploy EDR that blocks and alerts on malicious USB payloads.
  • Train staff: any unsolicited USB is a phishing attempt in physical form. Throw it away.

We test this in pentests.

If you want to know if your team would pick up a USB and plug it in, we can run a controlled test. Eye-opening every time.

Do this today
  • 1Publish a no-USBs policy and reinforce it in onboarding.
  • 2Disable USB storage and HID auto-enumeration via Group Policy or Intune.
  • 3Turn off autoplay on every Windows machine.
  • 4Train staff on BadUSB and why "just checking what's on it" is the attack.
  • 5Include USB drops in your next physical security assessment.

Want help securing your business?

Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.

Schedule a quick security review

Keep reading

Tip #4 · Social engineering

Verify before you wire.

Wire fraud is the fastest-growing financial attack on small businesses. The fix is a 90-second phone call before the money moves.

ReadTip #8 · Social engineering

The fake CEO email.

Gift cards, wire changes, W-2 forms, payroll routing — all the classic CEO-impersonation scams. One callback habit kills every variant.

Read
Back to all tips