QR code attacks target organizations in ways they least expect

QR code attacks, or “quishing” attacks, have emerged as a popular tactic among cybercriminals, with no signs of slowing down, according to Abnormal Security.

Although phishing emails have grown in sophistication over time, the end goal has stayed the same: trick targets into divulging sensitive information. QR code attacks are the latest evolution of traditional phishing, where threat actors use social engineering to manipulate targets into interacting with malicious QR codes. In doing so, they may unknowingly provide details that enable the attacker to compromise accounts and launch further attacks.

Examining data collected during the second half of 2023, Abnormal identified attackers’ preferred quishing targets. While every employee is at risk, C-Suite executives were 42 times more likely to receive QR code attacks than the average employee.

QR codes are an emerging and lesser-known malicious tactic

Cybercriminals also seem to have a favorite industry to target, with the construction and engineering industry experiencing quishing attacks at a rate 19 times higher than any other vertical. Further, small organizations with 500 or fewer mailboxes also experience these attacks at a rate 19 times higher than any other size company.

In the research report, Abnormal also identified key themes that cybercriminals are using to execute QR code phishing attacks. The most popular are related to multi-factor authentication and access to shared documents—approaches that accounted for 27% and 21% of all QR code attacks respectively.

In each of these instances, threat actors attempt to compel recipients to scan a QR code within a fraudulent email, which is linked to a seemingly legitimate website that then prompts the victim to enter login credentials or other sensitive details. The perpetrator can then use the credentials provided to compromise the target’s account and steal data, launch additional attacks, or move laterally to connected applications.

“Leveraging QR codes has become an attractive attack technique for threat actors because they’re effective at evading both human and technology-based detection,” said Mike Britton, CISO at Abnormal. “While employees have long been trained to avoid clicking on suspicious links, QR codes are an emerging and lesser-known malicious tactic that is unlikely to set off the same level of alarm. And unlike traditional email threats, quishing attacks contain minimal text content and no obvious URL, which significantly reduces the number of signals available for legacy security tools to analyze and use to detect an attack.”

BEC and VEC attacks continue to grow

The report also revealed that business email compromise (BEC) and vendor email compromise (VEC) attacks have grown substantially, with BEC doubling in frequency and VEC jumping 50% year-over-year.

BEC attacks increased by 108% from 2022 to 2023. The rate of these attacks peaked in October with a monthly average of 14.57 attacks per 1,000 mailboxes.

Larger organizations have the highest probability of BEC attacks. Organizations with more than 50,000 employees have a nearly 100% chance of experiencing at least one BEC attack every week. However, organizations of all sizes are at risk—even organizations with fewer than 1,000 employees have a 70% probability of receiving at least one BEC attack per week.

The construction and retail industries are most targeted by VEC. 76% of organizations in the construction and engineering industry received at least one VEC attack in the second half of 2023, while 66% of retailers and consumer goods manufacturers were targeted during that same period.

The percentage of organizations targeted by VEC each month in 2023 never dropped below 32%, indicating that threat actors are continuing to see success impersonating third parties in advanced attacks.

Britton continued, “Today’s organizations are feeling the pressure of advanced attacks—both with the rise of emerging tactics like malicious QR codes, and with the continued growth of socially-engineered BEC and VEC attacks. These threats are not only increasing but constantly evolving, targeting organizations and their employees in ways they least expect. Unfortunately, security awareness training is not enough, as these tactics are evolving faster and cybercriminals are finding new methods to prey on human behavior. As such, it’s more important than ever for security leaders to equip their organizations with the most advanced and adaptive threat detection tools to keep pace with, and stay ahead of, modern cybercrime.”