Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Quishing: QR Codes as Phishbait

    QR Code PhishingResearchers at Trustwave are tracking an increase in the use of QR codes to spread phishing links.

     “Being open-source, QR code generators have become accessible to anyone with access to the internet,” the researchers write. “The increased availability and flexibility of QR codes makes them the perfect tools for cybercriminals to further disguise their malicious links and evade anti-spam filters.”

    The QR codes often arrive in the form of phony multi-factor authentication emails.

    “The samples we have observed using this technique are primarily disguised as Multi-factor Authentication (MFA) notifications, which lure their victims into scanning the QR code with their mobile phones to gain access,” the researchers write. “However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page. Some samples go even further by targeting specific organizations with personalized templates. These contain the victim organization’s logo making it look more legitimate.”

    Attackers are also using Bing search result links and PDF files to disguise the QR code phishing links, in an attempt to evade technical defenses.

    “The abuse of Bing search result links is also added to the mix as an additional evasion technique, and PDF attachments are also used to hide the QR codes making them less obvious,” the researchers write. “Publicly available APIs also can be used to generate phishing QR codes on the fly. These techniques come together to lure unsuspecting victims into scanning the phishing QR code with their mobile phone which may bypass corporate security mechanisms and could pose a serious security threat for organizations.”

    The researchers conclude that organizations should use a combination of technical defenses and employee training to defend against these threats.

    “Raising awareness is key to protecting ourselves from these threats,” Trustwave says. “Organizations should advocate training staff members to be more vigilant when inspecting unexpected emails, in addition to applying strong security measures to protect their network.”

    New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize evolving social engineering tactics.

    Trustwave has the story.

     

    Return To KnowBe4 Security Blog

    Free QR Code Phishing Security Test

    Did you know dynamic QR code scans increased 433% globally from 2021 to 2022? Try our free QR Code Phishing Security Test to identify users that are most susceptible to these types of attacks so you can train them to think twice before scanning QR codes and build a stronger security culture.

    Monitor-QRT-2Here's how it works:

    • Immediately start your test for up to 100 users (no need to talk to a person)
    • Select from 35 languages and choose one of 3 templates
    • Choose from a “red flags missed” or a “404 error” landing page
    • Get a PDF emailed to you in 24 hours with your Phish-prone Percentage

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/qr-code-phishing-security-test

    Topics: Phishing, MFA

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews