Which form of social engineering involves leaving a physical device, such as a USB flash drive containing malicious files, in a location where people can find it?

The tactic being tested is baiting. It uses a physical lure—the USB flash drive left in a public spot—to tempt people into picking it up and plugging it into a computer, which can trigger malware execution or data theft. The attack hinges on curiosity or greed: the finder expects something valuable or interesting on the drive and acts to access it, often without questioning the source. This differs from a honey trap, which centers on manipulating a person through social interaction; vishing relies on voice calls to steal information; and reverse social engineering involves the attacker posing as a helper to get the victim to request their aid. So the defining element here is the physical lure left behind to entice action.