That single moment of curiosity may be all an attacker needs.
According to material described in the investigation, the devices are being sold in batches of 10 at around $60 each. More worryingly, the vendor reportedly claims an “open rate” of 81%. If that figure is accurate, it would exceed the participation rate in the old password-for-chocolate survey — a grimly ironic sign that social engineering may be getting more effective, not less.
A straw poll across professional and personal networks produces a similar concern. Ask people what they would do if they found a sealed USB drive on the ground and many instinctively say they would plug it into a device to see what was on it. Ask the same question about children or teenagers at home and the answer becomes even more unsettling. In an age of hybrid work, shared devices and home-office overlap, that risk no longer sits neatly outside the business perimeter.
This is what makes USB baiting so effective. It does not rely on advanced technical trickery at the point of contact. It relies on trust, curiosity and the mistaken belief that a physical object is less threatening than a suspicious email. For many users, cyber risk still feels digital-only. A flash drive found in a station, car park or office reception does not trigger the same defensive instincts as a phishing link.
For SMEs, that gap can be especially dangerous. Many smaller organisations lack strict device control policies, advanced endpoint protection, or the internal security maturity to spot and contain USB-borne compromise quickly. A single unknown device inserted into a company laptop could be enough to trigger malware execution, credential theft, remote access installation or the early stages of ransomware deployment.
The lesson here is not simply that users need more training. It is that awareness alone is not enough. Attackers understand human behaviour exceptionally well, and they are packaging their tactics accordingly. A sealed flash drive looks safe. A “lost” item feels harmless. A moment of curiosity feels trivial. None of those assumptions hold up under attack.
SMEs should treat unknown USB devices as they would any unsolicited attachment or suspicious link: untrusted by default. Where possible, organisations should restrict USB mass storage access, ensure endpoint tools are configured to detect removable media threats, and give staff a simple, memorable rule — if you find a device, do not plug it in; report it.
The technology has changed since 2004, but the core problem remains remarkably familiar. Back then, it was passwords for chocolate. Today, it may be malware by USB. Either way, the underlying attack strategy is the same: exploit low-friction human decisions for high-value gain.
After twenty years of cybersecurity awareness campaigns, that should give all of us pause.
