QR codes used in 22 percent of phishing attacks
As QR codes have become popular, they're used for all kinds of things from mobile payments to access control and even document sharing. The problem is that they can also hide risks so it's no surprise that they're becoming a popular vehicle for phishing.
New analysis from Hoxhunt finds the use of QR codes in 22 percent of attacks on its 'global human risk network' in the first weeks of October 2023.
In September, Hoxhunt also conducted a 'quishing' benchmark test, which examined nearly 600,000 employees from 38 organizations across nine industries and 125 countries, revealing that only just over a third (36 percent) of recipients successfully identified and reported a stimulated QR code phishing attack. More than half failed to recognize it as a threat, while five percent failed the stimulation.
Commenting on the research, Patrick Harr, CEO at SlashNext says:
QR codes are yet another way to spread mobile-based phishing campaigns. A number of organizations that offer QR code and short code creation have security to prevent hackers from using their service to create malicious QR codes. However there are still many services that hackers can use, so it’s important to have mobile protection against malicious links.
Bad actors have shifted their tactics to mobile-based attacks because most devices do not have phishing protection and mobile phones provide bad actors access to corporate accounts, banking information and other personal data. It's imperative for organizations to have mobile protection against malicious links, because given the explosion of QR codes in our daily life, it’s becoming unfeasible to avoid them completely.
Manufacturing proved to be the most vulnerable to QR code phishing in the tests, with a 1.6x higher fail rate than other industries whereas legal, professional and business services were 1.5x more successful in reporting the benchmark simulation.
Hoxhunt's Eliott Tallqvist writes on the company's blog, "The best recommendation we can give any company looking to improve its cybersecurity posture is to invest in ongoing training. This should include both initial onboarding and refresher courses that are provided regularly to ensure employees are kept up-to-date on the latest threats, vulnerabilities, and best practices. The frequency of these sessions might change depending on the organization’s risk profile but should generally be conducted at least every six months."
You can read more on the Hoxhunt blog.
Photo Credit: zhu difeng/Shutterstock