Skip to main content

Latest FBI Warning: Don’t Trust Thumb Drives

This blog addresses the recent scam that now involves the FBI, Ransomware, Thumb Drives, Amazon Gift Packages, US Dept. of Health & Human Services, and unsuspecting employees. 

The Danger: The FBI’s Thumb Drive Warning

The FBI recently warned and advised on a current scam in which bad guys mail malicious thumb drives in packages and trick recipients into thinking there is a legitimate reason for connecting the thumb drive to their computer. 

Let’s be clear. DON’T. Don’t stick that thing into your computer. You don’t know where it’s been! 

“But it’s a thumb drive in the shape of a guitar, and I’m a picker AND a grinner!” 

NO! Just. NO. 

So you might be thinking, “I wouldn’t fall for this.” And like Billy Joel said, “You may be right.” 

Unfortunately, many people have already fallen for this scam and it has led to some terrible consequences for their organizations. 

Who Were the First Targets? 

This scam has already taken its ‘toll’ on the transportation industry and “penetrated” some of the defense industry. 

Thumb drive being inserted into a laptop.

What Is the Gist of the Thumb Drive Scam? 

What are cybercriminals doing to convince people to insert thumb drives in their machines?  

Well, like in all Mission Impossible plot twists, the bad guys are disguising their identities behind behind organizations that your employees would normally trust. They send legitimate looking packages to recipients with a convincing message and a thumb drive carrying ransomware. 

The trusting employee then inserts the thumb drive into their computer and the loaded ransomware conducts its evil business.

What Are the Nuts and Bolts of These Scams? 

Here’s a quick overview of the top two organizations the bad guys are currently impersonating and the emotions they are preying on. 

SCAM 1. The US Dept. Of Health & Human Services DECEPTION: Emotional Damage; Fear Mongering

Bad guys impersonating the US Dept. of Health and Human Services tap into fears by sending packages that contain threatening messages about COVID-19.  When one’s fear is elevated, the recipients lose the ability to slow down and think logically. This enables cybercriminals to trick employees into voluntarily accessing “the additional information” on those evil thumb drives. It’s a modern form of the Trojan horse entering the walled city. 

SCAM 2. The Amazon Package DECEPTION: Emotional Damage; Excitement/Joy 

The bad guys also prey on our willingness and pleasure to accept gifts, which opens a door for attackers into our hearts—well, at least into our hard drives. They send packages that appear to come from Amazon with fake gift cards, a thumb drive and even a little ‘Thank You’ note to make the recipient think they are special, and that someone out there appreciates them.

The flattering gift, of course, makes the employee so pumped to see what their gift consists of, they don't think logically.  They quickly insert the thumb drive only to discover the gift is one they wouldn’t wish on their worst enemy.

Are Employees to Blame for Falling for This?

Absolutely not.

Your employees are not to blame. But if they haven’t been trained effectively to recognize threats, they could be tricked, allowing attackers to breach your organization. 

According to the Ebbinghaus Forgetting Curve, people forget 80% of what they’ve learned in less than a month. So, unless you’re training your employees on the latest dangers and/or cybersecurity best practices at least monthly, you’re likely to leave employees unprepared. 

While employees need to re-engage on a regular basis to keep cybersecurity top of mind, they also need the most current and effective modes of training to recognize the most recent threats, as they can be very deceptive. They can be highly effective in convincing employees to skip over the voice inside their heads that should be trained to say, “I don’t think I should ______.”  

“I don’t think I should use this thumbdrive.” 

“I don’t think I should download this file.” 

“I don’t think I should give away or confirm this information.” 

“I don’t think I should reply to this email.” 

“I don’t think I should click on this link.” 

However, good cyber hygiene doesn’t end there. When employees do spot a suspected threat, if they act passively and don’t report it properly, that allows the cybercriminals to freely target unsuspecting individuals elsewhere in the organization without warning.

What Should You Do? 

The key thing to remember: Educate, educate, educate. 

For starters, watch and share this video with your employees concerning the FBI’s recent warning on the thumb drive scam:  

Ensure all your employees are aware of the dastardly schemes and become extra suspicious and vigilant to NOT plug any thumb drives or external devices into their machines. 

Other security actions to take in the near term:

  • Commit to keeping your employees informed and trained on current threats there, how to recognize them, and what to do to keep themselves and their organizations safe. 
  • Harden your environment. Examine your networks and devices to be sure they are secure and ready to prevent as well as identify and quarantine/extinguish threats. 

Actions to take in the long term: 

  • Create a roadmap which lays out your security journey with a plan to continually evolve and grow
  • Partner with peers, vendors, and experts to ensure you don’t fight this battle alone but always have experts at your back

Better yet, see how we can help with Arctic Wolf Managed Security Awareness®.

About the Author

Nathan Caldwell has been a marketing leader in the tech world for nearly 10 years. He served as the producer and head of video marketing for one of the largest MSP software companies, where he was a keynote producer and coached tech leaders in executive speaking. In his latest adventure, he helped create Arctic Wolf’s Managed Security Awareness solution. When not fighting cyber bad guys Nathan loves to speak about his book, Empowering Kindness, and enjoys taking his four kids to theme parks.

Profile Photo of Nathan Caldwell