I’ve seen it too many times: someone finds a USB stick lying in the office car park, or tucked behind the printer, and plugs it straight into their work laptop. It’s a small, everyday action, but it opens the door to a USB drop attack — where a device carries malware or spyware that starts working the moment it’s plugged in.

Most office workers don’t think twice about a stray USB drive. They might be curious, or assume it belongs to a colleague who lost it. Sometimes it’s a handy way to transfer files quickly without going through the company network. But what the device actually does once connected is often invisible. It could quietly install malicious software that steals data or monitors activity, and not trigger any obvious alert.

The problem starts with the physical access to the device itself. USB sticks are small and easy to drop or leave behind. You’ll find them in shared spaces, meeting rooms, or even in the car park. They’re designed to look ordinary, sometimes even branded or labelled to look official. If someone deliberately drops them, it’s a simple way to tempt someone into plugging in without thinking.

Once plugged in, the attack doesn’t rely on a user downloading or running a file. Modern malicious USB devices can mimic keyboards or network cards, sending commands that bypass typical security software. The laptop trusts the device as if it were a real peripheral. This kind of rogue device can open backdoors, extract saved passwords, or install remote access tools.

From what I’ve seen in workplaces, there’s often little awareness about this kind of threat. Training usually focuses on phishing emails or password strength, but removable media security tends to be overlooked. I’ve walked through offices where dozens of USB sticks are floating around — in drawers, on desks, or even in communal charging stations — with no idea if they’re clean or infected.

Some businesses try to lock down USB ports or disable them through software controls, but this isn’t always foolproof. Employees might find workarounds, or portable devices might be needed for legitimate reasons like connecting peripherals or transferring files in secure ways. When the policy is too restrictive without clear communication, it can lead to people ignoring rules quietly and plugging in questionable drives anyway.

On several occasions, I’ve noticed that security teams rely solely on antivirus or endpoint detection software. While these tools are important, they won’t catch everything, especially if the payload arrives through hardware that looks normal. The device can act as a keyboard or network interface, issuing commands that don’t look like malware until it’s too late.

The physical aspect extends beyond the device itself. In shared or hybrid workplaces, USB drives are often shared between home and office machines, increasing the chance of cross-contamination. A stick plugged into a compromised home computer can carry threats straight into the office environment. This underlines the importance of treating all removable media as suspect unless verified.

I once inspected a small business where the facilities team stored USB drives in an unlocked cabinet, available to anyone managing the AV gear for meetings. No one tracked who took or returned them. It became clear that if even one of those devices got infected — say, by plugging into a personal laptop at home — it could spread throughout the business network when brought back.

It’s also common for employees to use USB drives as quick backups or to carry work files home. Without encryption or scanning, this practice can expose sensitive company data if the device is lost or stolen. Even if the drive is clean, that data movement outside secure networks is a potential weak link.

At its core, the USB drop attack exploits a combination of physical access and human habit. The device has to be plugged in, and the user has to trust the drive or not consider the risk. Addressing this requires practical workplace awareness, not just technical solutions.

I often suggest that teams think about the journey a USB stick takes — from being found or handed around, to where it’s plugged in. Small habits like not plugging in drives found unattended, using company-approved encrypted drives for work, and physically securing shared devices can reduce the chances of an attack starting this way.

The challenge remains that a lot of these risks fly under the radar. The device sits quietly in the background, and unless someone monitors USB activity logs or catches unusual network traffic, it can go unnoticed for days or weeks. That quiet compromise is what makes USB drop attacks particularly effective and tricky.

A quick walk around any shared workspace usually reveals how casual the approach to USB devices can be. Without practical attention to how removable media is handled, the door to these attacks stays open.