There’s been a “precipitous rise” in QR code phishing campaigns in 2023, according to Matthew Tyson at CSO.
“For the attacker, QR codes bring a number of benefits, including some appreciated by legitimate businesses: they are easy to create and easy to use,” Tyson writes. “It is easy for attackers to use free resources to generate convincing QR code enabled phishing emails, attachments, and websites — a mechanism that can increase the effectiveness of their efforts with minimum effort.”
Olesia Klevchuk, director of email protection at Barracuda, told CSO that QR codes are more difficult for security defenses to detect.
“URL scanning and URL rewrite technologies are ineffective against QR code attacks because there is simply no link to scan,” Klevchuk said. “Because users have to scan QR codes with their phones, it basically moves these attacks to an entirely new device that is often outside of the company’s security.”
Tyson says organizations should implement the following layers of defense to help thwart QR code phishing attacks:
- “Education: Ensure users are aware of the quishing trend and emphasize that QR codes are not an indication of legitimacy.”
- “Prevention: Automated systems that filter emails and URLs should be examined and hardened against QR codes. Existing use of QR codes by the enterprise should be examined to make it as hard as possible for attackers to hijack them.”
- “Response: Detection and lockout mechanisms should be in place to protect against account compromise.”
- “Validation: Incorporate QR code attacks red teaming tests and attack simulations.”
Tyson adds, “As technology-oriented professionals, we work towards a technology-oriented solution, but education and awareness play their part. We’ve gotten used to harping on the distrust of emails and confirming through a second channel anything significant. QR code attacks adds an important element: QR codes are not any kind of indication of legitimacy.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
CSO has the story.
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customize the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organization compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW