QR Codes Used in 22% of Phishing Attacks

Cyber Security Threat Summary:
Hoxhunt released the results of their Hoxhunt Challenge, an exercise conducted in 38 organizations across nine industries and 125 countries. Their study revealed that 22% of phishing attacks in the first weeks of October 2023 used QR codes to deliver malicious payloads.

“The challenge categorized employee responses into three groups: success, miss and click/scan. Only 36% of recipients successfully identified and reported the simulated attack, leaving the majority of organizations vulnerable to phishing threats. The retail industry had the highest miss rate, with only 2 in 10 employees engaging with the benchmark, while legal and business services outperformed others in identifying and reporting suspicious QR codes” (Info Security Magazine, 2023). While QR codes are convenient and have become a normal part of our lives, users should be extremely suspicious of QR codes that arrive via email.

Security Officer Comments:
Hoxhunt found that job function impacted an employees susceptibility to QR based phishing. Communications staff were found to be 1.6 times more likely to engage with a QR code attack. In contrast, employees with legal responsibilities were the most vigilant.

“Engaged employees (defined as those who feel passionate about their jobs) had a miss rate of 40%, a stark contrast from those not actively invested in their job responsibilities and the organization, who had a miss rate of 90%. Additionally, employees who completed onboarding and received pre-training also displayed better vigilance in identifying phishing emails” (Info Security Magazine, 2023).

Suggested Correction(s):
Mobile devices will typically show the users where the QR code is taking them with an on screen prompt, but there is no real security built into QR codes, and they should be treated with suspicion.

Hoxhunt says the key takeaway from their study was the importance of continuous training in cybersecurity. Training should not only occur during onboarding, but should continue with regular refresher courses. The researchers say failure to provide such training increases susceptibility to cyber threats and puts organizations data at risk.