When Swag Goes Wrong: Risks of Promotional USB Drives
The promotional products industry has long touted all of the benefits of custom USB drives. It’s not very often you hear anyone talk about the risks associated with promotional flash drives. However, the big elephant in the room is that these items can be risky from a supplier, distributor, and consumer standpoint.
In a recent example, not one, but two different scammers ordered flash drives from a company based in Texas. The flash drives were purchased by made up companies using stolen credit card information.
It’s not confirmed whether those flash drives were purchased for the purpose of installing malicious things like batch files, viruses, malware, or spyware onto them to infect people’s computers, but it is a possibility. 1,000+ USB drives in the wrong hands could wreak havoc.
So what are the risks for different aspects of the promotional products industry, including consumers? And what can we do about it? Let’s take a look!
Distributors like QLP are the middle men between you and your promo items. We work with several factories to get your promo items. Since distributors are the ones who handle customer orders, distributors must be wary of scammers using stolen credit cards to place large orders for flash drives.
USB drives are one of the most common items that scammers attempt to purchase with stolen credit cards. Why? Scammers can re-sell them on the black market and make money doing so. Many times the USB drives, when purchased with a stolen card, are shipped to a location where the thieves know the UPS delivery time, wait for the brown truck to show up, sign for it, and then vanish without a trace. Next thing you know those drives are sold at a flea market or re-sold via other means.
QLP sales rep Leo Avila said he receives fraudulent requests for large orders of either USB drives or T-shirts on average once every two days.
Luckily, now those scams are a lot easier to spot. But a few years ago that was not the case. In the summer of 2008, one of Avila’s first large orders was for $3,000 worth of USB drives. The customer wanted rush shipping on the order. The credit card was charged, and everything went through.
The day that order was scheduled to ship, that same customer contacted Avila again, this time wanting to order $8,000 worth of flash drives. However, this time the customer wanted to pay using four different credit cards.
That was the first thing that tipped Avila off that something fishy was going on. It was at this point that Avila learned that a simple Google search of the address can tell you whether the order is legitimate or not. When Avila looked at the address the “customer” had provided on Google Maps, he discovered that the image showed police squad cars surrounding the residence. Yikes!
Avila was lucky that he caught onto the scam before an $8,000 order went through. Unfortunately because the previous $3,000 order did go through and was placed with a stolen credit card, when it came time to refunding the money to the owner of the stolen card, QLP had to pay out of pocket. You can see how these types of scams can be costly for promotional products distributors.
If you are concerned about the legitimacy of an order, it is a good idea to Google the shipping address provided. Then you’ll be able to discover if the address is a)real, b)the actual home or business the items are being ordered for, or c)surrounded by police on Google Maps.
Jeff Solomon, founder of Free Promo Tips with 20+ years in the promo product industry, said, “A sales person in this day and age needs to be savvy enough to know these types of orders happen all the time, and often times they are fraudulent. It’s pretty easy to spot that these are not legitimate requests.”
For new distributors and sales representatives, the prospect of a several thousand dollar order can be very exciting, and you could miss the warning signs that would clearly alert you to the fraud.
So what do you need to look out for? Make sure you don’t get duped by always being aware of the following red flags.
Through diligence and with thorough checks and balances, you can avoid letting scammers get away with paying with stolen credit cards which could end up costing you thousands of dollars, and in turn you can prevent thousands of flash drives ending up in the wrong hands.
One last concern for distributors is the quality of the flash drives acquired from the factories. Always make sure that you are only working with reputable suppliers in the industry who you can trust will not be installing malicious viruses on the USBs at the factory level. Which leads us to…
As mentioned previously, distributors work with suppliers, which is where all of the promo items like USB flash drives are made.
You wouldn’t think that a huge company like IBM would hand out infected USB drives at a security conference, but it totally happened. At the 2010 AusCERT conference IBM unknowingly distributed flash drives that contained two pieces of malware.
Assuming IBM didn’t put the malware on the drives themselves, that malware must have been secretly installed at the factory level, right? How can you know that same thing won’t happen to you?
The key is to always order your items from a credible distributor or supplier in the industry. QLP only works with reputable, trusted suppliers that would never benefit from such a scenario.
One of QLP’s trusted suppliers of USB drives is Leed’s, a division of Polyconcept North America. Shannon Colamarino, Senior Category Manager, Product Development for Leed’s said, “We have heard of the unfortunate identity theft issue – it is important to note that thieves are doing this post assembly – meaning that this is not occurring on the factory floor and shipped to the U.S. with the virus already present. Leed’s conducts rigorous quality testing on every flash drive prior to US shipment to ensure the integrity of the drive has not been compromised in any way, and are checked again in our US facility as a double point of quality control.”
“Suppliers are part of the supply chain,” said Solomon. “They are responsible to deliver clean flash drives without spyware or malware on them. That’s another reason to use quality suppliers.”
Solomon continued, “It wouldn’t do a good supplier any good to sell products like that. It’s just not good for business. Good suppliers control their factories.”
Scott Anderson, National Sales Manager for Polyconcept North America explained that Leed’s only uses Tier 1 memory chips, which means they are not refurbished which is where a lot of the aforementioned risks can come from.
Tier 1 flash drives are made with the highest quality memory chips, have the lowest error rates, last the longest, and are faster than USB drives of any other tier. Colamarino said, “Anything outside of this tier opens up various risks, including viruses and misleading sizes (where the drive may say it is 8G, but actually only has 2G of memory).”
What about customers who want content pre-loaded on their flash drives? When a customer wants information like PDFs, Powerpoint presentations, or photos pre-loaded on their USB drive that content is sent directly from the distributor (QLP) to a third party website that uploads the content to the drives.
Because of that third-party site, you can also rest assured that any data you send to be pre-loaded onto a flash drive is safe with us. Anderson said, “We want to protect the data. When a customer sends that data to the distributor, it goes straight to the third-party site to keep the data protected.”
Regarding the riskiness of USB drives, Anderson said, “I don’t necessarily think they [USB drives] come with any more risks than any other item.” He cited that customers could poke their eye out with a pen, but that wouldn’t be the distributor or the supplier’s fault.
Colamarino added, “This could really be posed for any item, including knives, corkscrews, or any other product that could be used for malicious purposes.”
Therefore, it would follow that other than the red flags distributors can look out for to stop orders being purchased with stolen credit cards, there isn’t a whole lot a distributor can do to stop a person with a legitimate order from loading malicious content onto a flash drive.
“I don’t know how they would know that. I don’t know what they could do,” said Anderson. “It comes down to knowing who you’re dealing with, but I don’t think they have responsibilities for what the consumer does with the end product.”
Colamarino also offered this advice for both distributors and suppliers: “It would be a wise practice to ensure you have as much information about the distributor/end user as possible if they’re a new customer — check out their website if unsure for starters, as the incidents that I read about noted that when the distributor finally did go to their website, it was a bogus site. Same with addresses — they found that the addresses provided were empty lots.”
Colamarino continued, “Trust your instinct. If something feels off, take another step to look into it. It could save you in the long run.”
However, once those drives arrive on the customers’ doorstep, the safeness of those drives is out of our hands. And that’s where YOU come in!
As a brand choosing to give away promotional flash drives at your next event, as long as you order your USB drives from a trusted distributor, who will in turn work with a reputable factory to have them made, you shouldn’t have anything to worry about.
Solomon said, “Know who you’re buying from. These are interesting times with lots of risks.”
Before you place an order with any promotional products company, make sure that they are a respected brand. Check that they have a good reputation. A simple Google search will lead you to plenty of online reviews that will tell you what kind of company you are dealing with. Only place your order with a company that you can trust.
Trust is a huge factor when it comes to consumers on the receiving end of a custom flash drive as well.
As a person attending a trade show or receiving a custom USB drive from a company, there are several risks you should be aware of. Luckily, there are many things you can do to keep your computer safe.
QLP’s Junior IT Administrator, Mike Jenkins, said, “On average, a hacker isn’t going to attack a common consumer.”
However, he warned, “But if they can order a thousand flash drives and use those to set up a bot network and then have a thousand computers under their control? They’re gonna look at the big picture.”
That big picture also includes planting infected flash drives in company parking lots to infect and hack into entire company networks.
According to a 2011 survey of IT information security professionals, between 2009 and 2011 70% of businesses traced the loss of sensitive information to USB drives. Of those incidents, 55% are likely associated with devices infected by malware.
Which is why here at QLP, we’re not allowed to use flash drives. “We do not allow USB drives here,” said Jenkins. “One person could plug in an infected USB drive and take down the whole network.”
So what can you do to make sure you don’t plug an infected USB drive into your computer? First things first, Jenkins said that if you find a random flash drive on the ground, don’t plug it in. Either throw it away, hand it over to your IT department, or take it to the lost and found.
Good advice, considering a 2011 U.S. Department of Homeland Security test that found that 60% of people who found a flash drive in the parking lot went on to plug the device into their computer. The study also found that if the USB drive had a logo on it, 90% of people plugged it in.
Whether you receive a flash drive while at a conference or find one on the ground, only plug the device into your computer if you know where it came from. When receiving a promotional flash drive, only plug it into your machine if you trust the company who gave it to you.
If you’ve never heard of the company whose name is printed on the USB drive, just do a quick Google search. Don’t trust the device just because it has a logo on it. Check to make sure that the imprint is for a real company with a good reputation.
You can protect yourself from an infected USB drive by looking out for the following red flags.
Unfortunately, there is no way to know if a flash drive is infected without plugging it into your computer. So how should you proceed?
Jenkins explained that an infected USB drive will be set up so that all the person has to do is plug the device in for their computer to be affected. He stressed that you should make sure you have anti-virus on your computer, and to make sure that your anti-virus software blocks auto-run.
Auto-run is often used on CDs and USB devices so that when the disc or device is inserted, the programs automatically launch. By blocking auto-run, you can prevent your computer from automatically launching the files that would instantaneously infect your computer.
What if you do plug in an infected flash drive? Jenkins said if you notice something malicious is being installed, try to turn your computer off right away to try to stop the installation. If it’s too late for that, he said to run your anti-virus program. Then he said, “If you don’t know what you’re doing, take your computer to someone who does.”
With vigilance from all parties, we can all work together to keep everyone’s computer safe. USB drives can be risky, but as long as you order from a reputable distributor (I happen to know a guy *wink*), distributors work with trustworthy suppliers, and consumers proceed with caution, there are minimal risks involved.
“Memory is one of the most functional product options out there,” said Anderson. “Memory is a very versatile promo product, and a very functional product.”
We want to hear what you think! Have you ever been affected by an infected flash drive? Have you used promotional flash drives in the past? Let us know in the comments!