The familiar black square easily bypasses any digital protection.
In the last quarter of 2023, there is a sharp jump in attacks using QR codes, aimed primarily at corporate executives and managers. Experts recommend that companies strengthen the protection of their management personnel by digital means.
A recent report from Abnormal Security, a cloud-based email security company, shows that phishing emails with QR codes successfully overcome spam filters and reach their recipients, particularly Microsoft 365 and DocuSign users.
According to statistics provided by analysts, in the fourth quarter of 2023, senior management of companies was 42 times more likely to encounter phishing attacks using QR codes than ordinary employees. Middle managers also experienced an increase in the number of attacks, albeit on a smaller scale, encountering QR code-based phishing five times more often, according to the Abnormal report.
"If I'm an attacker, I want to attack those who can pay me and who have the credentials that give me access to the most interesting information," explains Mike Britton, chief information security officer at Abnormal.
QR codes, which became widespread during the pandemic, have become a popular tool for attacks. More than a quarter of QR code attacks (27%) in the fourth quarter mimicked multi-factor authentication (MFA) notifications, and about one in five attacks (21%) were fake document sharing notifications.
Phishing using QR codes is particularly dangerous, as attackers mask malicious links in images, which allows them to bypass not only user suspicions, but also most email security products. In addition, malicious QR codes can be placed in physical space, for example, on stickers, business cards, etc. All this allows hackers to bypass the digital protection of companies, no matter how powerful it is.
"The attacks exploit users innate trust in QR codes, integrating them into everyday items such as parking meters or posters, " says Monique Besenti, product director at mobile security company Zimperium.
The main purpose of attacks on managers is to steal credentials — usernames and passwords. Credential phishing is the most popular type of email attack, accounting for 73% of all attacks and 84% of QR code attacks.
Despite the fact that the popularity of phishing with QR codes has slightly decreased since October, it will still remain in the arsenal of intruders forever. The best way to protect yourself is to train your users, says John Gellin of Hoxhunt.
"Training is important, but we are bound to encounter failures, and one mistake is enough to fail," adds Britton from Abnormal Security, emphasizing the need for technical controls in addition to training.
In the last quarter of 2023, there is a sharp jump in attacks using QR codes, aimed primarily at corporate executives and managers. Experts recommend that companies strengthen the protection of their management personnel by digital means.
A recent report from Abnormal Security, a cloud-based email security company, shows that phishing emails with QR codes successfully overcome spam filters and reach their recipients, particularly Microsoft 365 and DocuSign users.
According to statistics provided by analysts, in the fourth quarter of 2023, senior management of companies was 42 times more likely to encounter phishing attacks using QR codes than ordinary employees. Middle managers also experienced an increase in the number of attacks, albeit on a smaller scale, encountering QR code-based phishing five times more often, according to the Abnormal report.
"If I'm an attacker, I want to attack those who can pay me and who have the credentials that give me access to the most interesting information," explains Mike Britton, chief information security officer at Abnormal.
QR codes, which became widespread during the pandemic, have become a popular tool for attacks. More than a quarter of QR code attacks (27%) in the fourth quarter mimicked multi-factor authentication (MFA) notifications, and about one in five attacks (21%) were fake document sharing notifications.
Phishing using QR codes is particularly dangerous, as attackers mask malicious links in images, which allows them to bypass not only user suspicions, but also most email security products. In addition, malicious QR codes can be placed in physical space, for example, on stickers, business cards, etc. All this allows hackers to bypass the digital protection of companies, no matter how powerful it is.
"The attacks exploit users innate trust in QR codes, integrating them into everyday items such as parking meters or posters, " says Monique Besenti, product director at mobile security company Zimperium.
The main purpose of attacks on managers is to steal credentials — usernames and passwords. Credential phishing is the most popular type of email attack, accounting for 73% of all attacks and 84% of QR code attacks.
Despite the fact that the popularity of phishing with QR codes has slightly decreased since October, it will still remain in the arsenal of intruders forever. The best way to protect yourself is to train your users, says John Gellin of Hoxhunt.
"Training is important, but we are bound to encounter failures, and one mistake is enough to fail," adds Britton from Abnormal Security, emphasizing the need for technical controls in addition to training.
