The growing threat of QR code phishing and how to drive employee resilience

In this article, you'll discover the dangers of QR code phishing and learn how to educate your employees to prevent a user-related data breach.

What is QR code phishing?

QR code phishing, also known as "quishing," is a relatively new form of cybercrime that leverages the ubiquity and convenience of QR codes for malicious purposes.

These attacks rely on cybercriminals creating malicious QR codes that appear legitimate but, in reality, lead to phishing websites or the downloading of malware onto the user's device. These QR codes can be found in various forms, such as on posters, flyers, or even on websites.

Why do cybercriminals use QR codes in phishing attacks?

The purpose of QR code phishing is to trick users into providing their sensitive information, such as login credentials, credit card details, or personal information. Once the cybercriminals have obtained this information, they can use it for identity theft, financial fraud, or other malicious activities.

It is important to be aware of QR code phishing as it has become increasingly prevalent in recent years. With the rise of mobile devices and the widespread use of QR codes for various purposes, cybercriminals have found new ways to exploit this technology to their advantage.

Example of a QR phishing attack

Below is an email example where an attacker is urgently advising a victim to scan a QR code to preserve access to their account. Failure to do so will mean that their corporate email account passwords will soon 'expire'.

Example of a QR code phishing attack, impersonating a Microsoft Outlook email

After scanning the code, the user is redirected to a fake login page styled as a Microsoft sign-in, where the victim is encouraged to submit their account credentials.

The rise of QR code phishing

With the increased use of QR codes in various industries, especially during the COVID-19 pandemic for contactless transactions, there has been a notable rise in these types of phishing attempts.

According to recent reports, the number of QR code phishing attacks has significantly increased, with cybercriminals constantly evolving their techniques to make their malicious QR codes more convincing. These attacks can target both individuals and businesses, posing a significant threat to the security of personal and sensitive information.

A 51% increase in QR phishing attacks

According to a new study released by ReliaQuest, in September 2023 the company saw a 51% increase in quishing attacks, as compared to the cumulative figure for January through August 2023.

Most popular QR phishing attacks

Other findings from the study include:

  • The most popular QR phishing scenario involved Microsoft 2FA resets or enablement, occurring in over 50% of QR phishing emails in this data set. Victims were directed to enter their Microsoft email addresses and passwords.
  • Online banking pages represented 18% of all QR attacks, making it the second-most popular method used by cybercriminals. Victims were encouraged to enter their banking credentials on the page.

As QR code phishing continues to grow in prevalence, businesses must understand the risks and take proactive measures to protect themselves and their customers.

Common QR phishing techniques

Cybercriminals use various techniques to carry out QR code phishing attacks. Some common methods include:

  • Fake websites – Cybercriminals create fake websites that closely resemble legitimate ones, tricking users into entering their sensitive information.
  • Malware distribution – Malicious QR codes can be used to distribute malware onto the user's device, allowing cybercriminals to gain unauthorised access or control over the device.
  • Social engineering – Cybercriminals may use social engineering techniques to manipulate users into scanning malicious QR codes, often by offering enticing rewards or discounts.
  • URL redirection – QR codes can be designed to redirect users to phishing websites or malicious content, where they are prompted to enter their information.

By understanding these common techniques, businesses can better educate their employees and customers about the risks associated with QR code phishing and how to identify and avoid potential threats.

Education is the key to preventing user-related data breaches

With usecure's human risk management solution, IT leaders and managed service providers can empower end-users with the knowledge and vigilance to prevent data breaches.

Simulate a real-world QR phishing attack with usecure

In a few simple steps, usecure's simulated phishing tool, uPhish, enables you to deploy both ready-made and custom-built QR phishing campaigns that report on how susceptible your users are to these types of attacks.

Below is an example of a Microsoft QR phishing email that comes pre-loaded in the uPhish template library, allowing you to track landing visits and compromises.

Example of a QR quishing email attack

Launch a free phishing simulation today

Grab a 14-day usecure trial and launch a free QR code phishing campaign to uncover the human risk inside your business.

QR code phishing simulation