The USB Drive on the Sidewalk: A CyberSafety Story You Won’t Believe

Today’s story is one of my favorites to share because it’s so simple…

and yet so dangerous.

Let’s talk about Emily — a client who almost learned the hard way that not all tech risks come through Wi-Fi or email.

Some show up right on the ground in front of you.

The USB Drive That Should’ve Stayed There

Emily was walking into her office one morning when she noticed a small black USB drive on the pavement near the doorway.

It had a label on it:

“Payroll – Q4” 

Now, Emily works in HR.

Payroll is literally her job.

So of course her brain said:

“Oh no… someone dropped sensitive files. Better figure out who it belongs to.” 

And without thinking too much about it, she slipped it into her pocket.

An Innocent Decision With Big Consequences

At her desk, she plugged it into her work laptop to see who to return it to.

But instead of opening a folder…

something else happened:

A blank window flashed for half a second.

Then disappeared.

No files.

No names.

Nothing visible.

Just a tiny, invisible piece of malware installing itself in the background.

She didn’t realize it yet — but she had just given an attacker access to her entire company network.

All because she tried to do the right thing.

The Moment Everything Went Wrong

Within minutes, she started getting pop-up errors.

The HR software crashed.

Her email suddenly logged her out.

Her computer slowed to a crawl.

That’s when she called me.

When she said,

“I plugged in a USB drive I found this morning…”

I didn’t even let her finish.

The Truth About “Found” USB Devices

Attackers have a name for this trick:

“USB baiting.” 

They load malware onto cheap USB drives, drop them in places people will pick them up, and wait.

Most people are curious.

A few are helpful.

Some are both.

But to an attacker, it doesn’t matter how the USB gets plugged in — only that it does.

How We Contained the Damage

Here’s what we had to do for Emily:

• Immediately disconnect her device from the network

• Force a shutdown to stop the malware

• Alert IT so they could scan other systems

• Change every HR-related login

• Reimage her computer

• Audit access logs for suspicious activity

Thankfully, her quick call meant we caught it early.

If the malware had spread?

It could’ve compromised payroll data for the entire company.

Three Lessons From Emily’s Close Call

1. Never plug in a USB device you didn’t buy yourself

Especially one you found.

2. Curiosity can be costly

Attackers rely on human nature.

3. There’s always a safer option

If you find a USB drive, hand it to IT — don’t investigate it yourself.

CyberSafety Week Takeaway

Not every threat arrives in an email or over the air.

Some threats are small enough to fit in your pocket.

If you ever come across a USB drive you didn’t expect:

Do. Not. Plug. It. In. 

Call someone who knows how to handle it safely.

And if you want a safer way to manage external drives at home or work, I’m happy to help.