There’s been a “precipitous rise” in QR code phishing campaigns in 2023, according to Matthew Tyson at CSO.
“For the attacker, QR codes bring a number of benefits, including some appreciated by legitimate businesses: they are easy to create and easy to use,” Tyson writes. “It is easy for attackers to use free resources to generate convincing QR code enabled phishing emails, attachments, and websites — a mechanism that can increase the effectiveness of their efforts with minimum effort.”
Olesia Klevchuk, director of email protection at Barracuda, told CSO that QR codes are more difficult for security defenses to detect.
“URL scanning and URL rewrite technologies are ineffective against QR code attacks because there is simply no link to scan,” Klevchuk said. “Because users have to scan QR codes with their phones, it basically moves these attacks to an entirely new device that is often outside of the company's security.”
Tyson says organizations should implement the following layers of defense to help thwart QR code phishing attacks:
- “Education: Ensure users are aware of the quishing trend and emphasize that QR codes are not an indication of legitimacy."
- “Prevention: Automated systems that filter emails and URLs should be examined and hardened against QR codes. Existing use of QR codes by the enterprise should be examined to make it as hard as possible for attackers to hijack them."
- “Response: Detection and lockout mechanisms should be in place to protect against account compromise."
- “Validation: Incorporate QR code attacks red teaming tests and attack simulations.”
Tyson adds, “As technology-oriented professionals, we work towards a technology-oriented solution, but education and awareness play their part. We've gotten used to harping on the distrust of emails and confirming through a second channel anything significant. QR code attacks adds an important element: QR codes are not any kind of indication of legitimacy.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
CSO has the story.
Here's how it works:
