USB Baiting

Conduct a USB drop test to check your staff's reaction

USB Baiting

Not all phishing and social engineering attacks require direct communication (such as email, SMS, voice technology) with the victim in order to infiltrate their system/network. The most unusual example is USB baiting that, just like any other social engineering attack, aims to access a target computer or network, but the approach is entirely different.

Aware provides phishing simulations that imitate real-life attack scenarios that teach your employees to spot phishing scams and prevent the hefty cost of data breaches.

What Is USB Baiting?

USB baiting (or USB drop attack) is a form of social engineering attack, conducted by planting USB sticks, containing malicious software, at places where the targets can generally find them. A USB baiting attack relies on the curiosity of its target, who is likely to plug it into their system to find out the contents or the owner of the drive. Once the USB stick is plugged into a system, the malicious contents have a high probability of spreading across the system/network. Though the chances of malware infection just upon plug-in are rare, the success of the attack remains high. It is highly likely that when the target picks up and plugs an unknown stick into their system, they will also open files or applications without considering the consequences or without giving much thought to security. This process is also known as HID (Human Interface Device) spoofing, where the malware masks the identity of the USB stick to trick the system into assuming it for another device such as a keyboard or mouse, thus, providing it with the privileges of that device.


Effects of USB Baiting

Plugging an unknown USB in a computer can result in several forms of cyberattacks. There’s a chance that the malicious USB could infect your computer with a virus, malware, or spyware. It can lead the victim to a phishing site where the cybercriminal can lure the target into sharing their private data. It could also take the form of human interface device spoofing. The planted USB can trick the computer device into thinking that a keyboard is attached, eventually, giving remote access to cybercriminals.

Why Do You Need Anti-Phishing Solutions?

  • Phishing attacks merely set the stage for attacks such as ransomware, spyware, credentials theft, etc.
  • Once the malware present in the USB stick successfully invades the system/network, the payload (spyware, backdoor software, ransomware, etc.) will be activated. It will then either encrypt your sensitive data or send it to the hacker.
  • Phishing attacks rose in 2019, indicating a sharp rise as compared to previous years, and nearly 71% of the total attacks were financially motivated.
  • Reports from various studies state that 94% of malware was delivered through social engineering attacks with the public, information, and financial sectors being the most affected.
  • Considering the above facts, humans, by default, become the first line of defense against phishing and social engineering attacks. Thus, security awareness training becomes the only option to strengthen this line of defense.

Incorporate USB Baiting Solutions with Aware

Aware can help determine your employee’s ability to identify and assess the risk of picking and plugging unknown USB sticks and thereby prevent the exposure of company data to unknown risks. Aware USB baiting solutions include:

  • User susceptibility: We can help you establish a baseline measurement on how susceptible your employees are to SMiShing attacks and measure their progress against the baseline.
  • Detailed statistics: Reporting user behavior after plugging-in the USB stick, such as opening files, running applications, providing access, etc.
  • Training: Providing pre- and post-incident reports and materials of our awareness trainings, which include interactive quizzes, gamification approaches, customizable training courses, etc.

Prominent Features of Aware

Along with testing and training, Aware also offers additional features based on your requirements, such as the scale of operations, campaign statistics, etc.

How Much Do Anti-Phishing Solutions Cost?

As with any cybersecurity service, the cost of Aware security awareness solutions differs based on the following set of variables:

  • The scale of an organization.
  • Security understanding of the users and employees.
  • The current security infrastructure.
  • The risk and liability associated with the business process.

How Often Should Anti-Phishing Training Be Done?

Studies show that phishing was responsible for a loss of $26 billion between 2016 and 2019 and is expected to grow in 2020. Any phishing simulations and trainings, including USB baiting, is not a one-time activity. They need to be carried out regularly to ensure optimal retention and effective learning. As cybercriminals continue to ramp up their game, organizations must ensure that their employees are equipped to defend their organizations against phishing attacks. How often a company adopts and incorporates anti-phishing solutions depends on factors such as:

  • The scale of operations.
  • Compliance with various regulatory laws.
  • The existing security infrastructure.
  • Threat identification and management capability of the employees and users.