A penetration tester dropped USB drives in a corporate parking lot, and multiple employees plugged them into work machines within hours. The story went viral, hitting as a sharp 2026 reminder that physical-media social engineering still works against companies that have spent years drilling email phishing awareness.
Companies have invested real money in email security programs: simulated phishing campaigns, annual compliance training, click-rate dashboards reviewed by the board. Against email-based threats, that investment has produced measurable results. But it’s built a blind spot. An employee who won’t click a suspicious link will still pick up a USB drive off the pavement.
Physical-media attacks bypass every email gateway, spam filter, and link-rewriting proxy in the chain. The entry point is the employee, and the training programs the organization spent years funding didn’t cover it.
For legal and compliance teams, the viral reach of this story creates its own risk. Security programs that can’t demonstrate coverage of physical media attack vectors look thin in post-incident review, where “reasonable security” is the standard courts and regulators apply.
The gap wasn’t created overnight. It won’t close by updating the email security budget.
— James Okafor