A surge in email attacks using QR codes specifically targeting corporate executives and managers has raised concerns about the digital security of business leadership.
A report published by Abnormal Security, a provider of cloud email security, revealed that phishing emails using QR codes, sometimes referred to as “quishing,” have been successful in bypassing spam filters and reaching the inboxes of users of Microsoft 365 and DocuSign. This has led to heightened security concerns, particularly among C-suite executives and other high-level managers.
The data from the report indicated that in the fourth quarter of 2023, the average C-suite executive experienced 42 times more phishing attacks using QR codes compared to the average employee. While other managerial roles also saw an increase in attacks, the number was significantly lower, with non-C-suite executives encountering five times more QR-code-based phishing attacks. This trend emphasizes the fact that attackers are specifically targeting individuals with privileged access and valuable credentials.
Mike Britton, CISO for Abnormal Security, highlighted the motivation behind attackers focusing on executives, stating, “If I’m an attacker, I want to attack the people that have the ability for me to get paid and have credentials that give me access to the most interesting information.”
The increased prevalence of QR code attacks can be attributed to their growing popularity, particularly during the pandemic as businesses directed customers to contact-free and online ordering. QR codes have also been widely used for multifactor authentication (MFA) processes in a business context. Attackers capitalized on this by using fake notices of MFA and notifications about shared documents to deceive users into scanning malicious QR codes.
The deceptive nature of QR code phishing allows attackers to bypass user suspicions and some email security products. Additionally, attackers can strategically place malicious QR codes in physical spaces using simple stickers, effectively bypassing digital security measures altogether.
Furthermore, attackers are predominantly focused on stealing the credentials of privileged users, primarily executives. Successful credential phishing gives attackers access to valuable information and allows them to carry out malicious activities, such as sending emails pretending to be the victim and creating mail filter rules to forward all emails to the attacker’s account.
While the prevalence of QR code phishing attacks has decreased to some extent, it remains a persistent threat. Jon Gellin, threat team lead at Hoxhunt, emphasized the importance of training employees to recognize and respond to phishing attacks, as human awareness and judgment play a critical role in defending against such threats.
Mike Britton echoed the significance of training but emphasized the necessity of technical controls to prevent successful phishing attacks. He highlighted the difficulty of expecting employees in various roles to accurately identify sophisticated phishing attempts, emphasizing the potential impact of a single failure.
Overall, the surge in email attacks using QR codes has raised concerns about the security of corporate executives and managers. As organizations navigate this evolving landscape of cyber threats, a combination of employee training and robust technical controls will be essential to mitigate the risk of successful phishing attacks targeting privileged users.