The Rise of QR Code Phishing
Recent research indicates a dramatic surge in QR code phishing, a form of attack commonly known as “Quishing.” With a 587% increase between August and September alone, the risk is real, and immediate.
QR codes have become a convenient tool for quick information sharing and streamlined user experience in recent years. However, the same features that make QR codes so user-friendly are being weaponised by cybercriminals. It’s crucial for both consumers and businesses to rethink how we interact with them.
A Sobering Landscape
In the UK and Europe, nearly 87% of smartphone users have scanned a QR code at least once, with over 36% doing so weekly. While this shows the widespread adoption of QR codes for legitimate purposes, it also highlights a significant opportunity to use this attack vector for hackers.
One noteworthy example of this growing threat was an attack on a major US energy firm in the last few months. This really is an escalating and alarming development that emphasises no industry is safe from cybercriminals looking to exploit vulnerabilities in any way they can. Especially when the attack vector is appearing to be so successful.
Why QR Codes are the Perfect Trap
QR codes offer an almost perfect delivery mechanism for phishing scams. Malicious actors are bypassing traditional security measures by embedding QR codes in phishing emails, with traditional security tools unable to detect the threat due to no URL to scan.
Hackers create QR codes that, once scanned, direct users to credential harvesting sites. These are malicious websites designed to capture login details. The attacker then lays the trap by presenting a fake but convincing Microsoft page, tricking the user into re-authenticating and thereby obtaining their credentials. Cybercriminals gain the token needed to access the account, effectively meaning they can bypass 2FA/MFA.
Most organisations have a 30-day MFA reset policy, which means these attackers can roam freely within systems for up to a month.
This makes QR code phishing attacks incredibly effective.
A Study in Cyber Awareness
A recent study conducted among nearly 600,000 employees found that only 36% could successfully identify and report a phishing attack using QR codes. More than half (59%) didn’t recognise it as a threat, and around 5.5% actually scanned the QR code or clicked an accompanying link.
The study also revealed that industry and job function play a significant role in awareness levels. Businesses in the legal and business services sectors had a 63% success rate in identifying such attacks, compared to IT’s 44%, and a worrying 18% in retail — the industry most likely to miss these phishing attacks.
What Can Be Done?
It’s crucial for organisations to conduct regular phishing campaigns and cyber awareness training. It’s not a question of if a security breach will happen, but when. The most effective line of defence is a proactive one, supported by cyber security specialists.
The alarming rise in QR code phishing makes it clear: We can’t afford to let our guard down. With an increasingly interconnected world, the need for vigilance and proactive security measures has never been greater.
The best way to protect your business is to engage with a Security Operations Centre (SOC) service so your networks, systems and applications will be monitored, 24/7. In the event of a breach, SOC analysts will take action to contain and neutralise the attack within minutes. At DigitalXRAID, we’re committed to ensuring the bad guys don’t win. Our cutting-edge services and cyber awareness training can help you and your team stay one step ahead of the attackers. We’re protecting hundreds of customers that are experiencing a significant increase in this attack vector, and we can do the same for you.
If you discover that you’ve suffered a breach as a result of this or any other attack vector, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.
If you need any support in mitigating any risks this attack vector may pose on your business, please don’t hesitate to get in contact.
Join us on 22 November to arm yourself against these threats.
DigitalXRAID experts, along with special guest Richard Todd from Lambert Smith Hampton, will provide real-world strategies to protect your business. We’ll take you ‘Into a Hacker’s Mind’, to delve into how threat actors are exploiting QR codes to bypass 2FA/MFA mechanisms, enabling more sinister attacks like Ransomware.
Prepare to walk away with actionable insights that’ll keep you a step ahead of cyber criminals. Our mission is to ensure the bad guys don’t win, and we’re sharing all the knowledge you need to make sure of it.