While QR codes have existed for nearly two decades, their public acceptance has accelerated in the last several years, particularly since the COVID-19 pandemic. It’s easy to understand why — with such a seamless, touch-free, and convenient way to access online content, QR codes have become a popular way to exchange information today.
However, their rise in popularity has also come with increased risk. Threat actors are known to capitalize on technological advancements to pursue their own nefarious agendas, especially when humans are easily manipulated through advanced social engineering tactics. QR codes are no exception to this trend, and now have become the latest type of attack in a long line of malicious innovations.
Here’s what to know about the growing threat of QR code attacks, and what security teams can do to effectively defend against it.
How QR code phishing attacks work
Threat actors leverage QR codes in all kinds of attacks, from invoice fraud to extortion, to spreading malware. But QR code credential phishing (or quishing) has far and away become the most common attack type, accounting for 89% of all QR code-based attacks sent via email.
In these attacks, the QR code functions as the centerpiece of a classic phishing scheme, where an email gets sent from a seemingly trusted source and uses urgent language to encourage the target to interact with a QR code embedded in the email. These emails will lure victims with a fake prompt, often around updating an expired password or accessing a critical document—but rather than asking them to click on a link, they are instructed to scan a QR code.
The QR code then redirects users to a fake login page — often designed with spoofed brand imagery to increase the appearance of legitimacy — where they are prompted to enter their credentials. Unfortunately, these pages are malicious copies, and attempting to log in gives attackers access to credentials, effectively compromising the user’s account.
Quishing has become increasingly popular
Anyone can be a target for these attacks, but cybercriminals have their sights set on a specific group of individuals: the C-Suite. Recent research found that C-Suite executives receive 42 times more QR code attacks than the average employee.
There are some likely reasons for why senior executive leaders have become an attractive target for these attacks. The people in these roles tend to have direct access to vast amounts of valuable information and are also likely to have the highest level of permissions of any member of the organization. Compromising these executives would effectively give attackers the “keys to the kingdom,” allowing them to spread laterally across the corporate network and infiltrate additional apps and systems. Plus, with access to an executive’s email account, a threat actor could use it to launch business email compromise attacks, sending fraudulent requests to junior employees or other external parties who might not think to question a seemingly legitimate ask from a senior leader.
While the threat of QR code attacks can touch any organization, certain industries are at greater risk than others. The same research found that construction and engineering enterprises are 19-times more likely to experience an attack than other industries. We can potentially link that to the sector’s historical reluctance to adopt robust data security and privacy regulations. Further, professional services (like lawyers, accountants, and business consultants) follow closely behind with an 18.5-times higher likelihood of experiencing an attack than other industries. Cybercriminals likely target these businesses for their highly confidential information that can be sold, ransomed, or leveraged for additional attacks.
What security teams can do to prevent QR code attacks
QR code attacks are notoriously difficult to detect, both by humans and by traditional solutions. From a human perspective, we know that security awareness training has historically cautioned users to avoid clicking on links in suspicious emails. QR codes accomplish the same goal of redirecting victims to a phishing page, but because they are an emerging medium in business communication, they are unlikely to raise flags in the same way a traditional link-based attack might. This results in situations where otherwise security-conscious employees can be tricked into completing the requested action.
And it’s made worse by the fact that QR code attacks are often successful at evading detection by security tools as well, largely because there’s minimal text content and no obvious malicious link. The absence of these attack indicators significantly reduces the number of signals available for traditional security tools to analyze in order to detect an attack.
QR codes also move the attack away from a secure email environment to a user’s phone, which doesn’t have the same lateral protection and posture management as a cloud-based business environment. This could explain why 27% of quishing attacks use fake multi-factor authentication (MFA) notices to target users.
So what can security teams do to prevent these kinds of attacks?
On an individual level, start by simply ignoring any QR code from an unknown source. But that’s easier said than done, especially in this digital era when many QR codes are used for legitimate purposes.
Instead, security leaders should consider applying a layered defense strategy to prevent QR code attacks, including:
- Implement MFA that doesn’t rely on QR codes, so employees don’t become complacent and begin trusting emails that use them. Instead, prioritize MFA that uses secure methods such as SMS, time-based passwords, or biometrics.
- Conduct security awareness training that incorporates QR code attacks as part of their simulations, so employees can become familiar with this emerging variation of phishing attack.
- Deploy email security solutions that have specific QR code detection features, designed to parse QR code images and corresponding links for malicious activity. When combined with additional signals such as unfamiliar senders, urgent or alarming language, or impersonated email addresses, these solutions can help to improve detection efficacy.
The use of QR codes in business communication isn’t going away anytime soon, and as they continue to commoditize, threat actors will likely expand their usage as a tool in their phishing campaigns. Thus, it’s up to security professionals to understand this threat and develop strategies to get ahead of it to protect our end users, and our organizations, from falling for these attacks.
Mike Britton, chief information security officer, Abnormal Security
