QR codes are the scannable technology of the moment, used across social media, in marketing and advertising campaigns and in the enterprise to quickly share information and drive engagement.
But anyone can create one using a multitude of free, easy to use, online tools. This makes QR codes especially enticing for attackers, who prey on users’ eagerness to stay in-the-know.
In fact, according to a new report from Osterman Research and Ironscales, three-quarters of companies have been the target of image-based and QR code phishing (quishing) in the past year.
And, as attackers become more and more cunning thanks to artificial intelligence (AI)-based tools, that’s only the beginning.
“What’s interesting about this report is that everyone is aware of QR codes or quishing — but that’s just the first example of many other types of image-based attacks we’re going to see,” said Audian Paxson, principal technology strategist with Ironscales.
Staggering increase in attacksAccording to the research, 75.8% of organizations have been compromised by image-based and QR code phishing attacks over the last 12 months. Attackers’ most common targets were compromising account credentials (72%) and stealing sensitive information (70.6%).
Organizations do seem to be aware that this is a significant issue: 60% of respondents believe the “number, sophistication and evasiveness” of these types of attacks will only get worse in the coming year.
At the same time — and perhaps most alarmingly — enterprises are overly confident in their ability to block such intrusions: 70% of IT and security professionals say their current email security stack is “highly effective” at detecting phony emails and codes.
Yet nearly 4 out of 5 organizations (76%) were compromised by these methods in the last year — and just 5.5% could detect and block image-based email and QR code phishing attacks from reaching users’ inboxes and mobile phones.
Clearly there’s a “huge dichotomy” between the high-level confidence people have in their security stack and their actual security posture, Paxson said.
“That’s nothing new,” he noted. “It’s a classic security gap.”
He urged: “Be wary of any false sense of security.”
Posing as legitimate business correspondencePaxson explained that the report was prompted by a trend Ironscales was seeing based on its customers’ first-party data: A staggering 451% increase in image-based email attacks in 2023.
Much like it sounds, an image-based email is “an email that is largely or almost entirely an image, but looks like a regular old email.”
They are often designed to mimic automated emails that workers already get throughout the day — such as prompts from Microsoft 365 to update, verify or validate their credentials, or from DocuSign to pen a virtual signature.
“It’s easy to fall for them,” said Paxson. “They all look the same, they’re the exact same template.”
People don’t always look at the email sender; instead they are fooled into thinking “it’s DocuSign, it must be important, I must act on this quickly.”
QR codes, meanwhile, are this century’s “classic gift card scam,” said Paxson, noting that “people will scan just about everything.” Attackers “know they are shiny and that people will scan them.”
Similar to image-based emails, codes are embedded into business notifications and intended to invoke a sense of urgency. Users are tricked into visiting spoofed websites that can install malware, or attackers can easily steal their sensitive data.
When successful, Paxson noted, fake QR codes allow hackers to move the attack venue away from managed devices, networks and secured systems onto less-managed personal devices.
Not surprisingly, generative AI (genAI) is making it easier for attackers to launch such campaigns. Paxon pointed out that they are early adopters of technology and are “persistent and creative.” They can take tools that were previously blocked and make small alterations with the help of genAI to launch them in the wild again.
“The cat and mouse game has been taken up to another level over the last year and a half,” said Paxson.
Also very quickly, he forecasted, attackers will get really creative with using an email that is 100% image or mostly image to throw off AI detection technologies and “compel users to not think.”
“All attackers are looking for is a foot in the door, then they can make lateral movements of different sorts,” said Paxson.
Assess your tech stack, regularly train employeesContrastingly, defenders continue to be in “reactive mode” despite having pretty strong security stacks — typically two to three email security tools — but scarce resources to optimize those tools, monitor them and keep them up to date.
“Just because you have two or three or four [tools] doesn’t mean you don't have gaps,” said Paxson.
Perform regular assessments, he advised, and look at the type of attacks tech stacks are able to cover. Also, have a security email gateway and plugged-in APIs that use AI to analyze everything in a user's inbox.
Just as importantly, address the human element. “It’s a human weakness to move quickly and click on things or scan things,” he said.
To combat this, organizations should regularly test employees and provide them with up-to-date security awareness training. The fastest, easiest, cheapest way for organizations to protect themselves is to “start or increase the quantity and quality of their phishing simulations,” said Paxson.
In the end, “the best technology in the world can’t replace an educated and empowered user base,” he said.
On the user side of things, meanwhile, Paxson cautioned: “Be careful, look at the links, be suspicious. Slow down. Take a beat and look at everything. Most people, if they take a beat, have a pretty good sense that something doesn’t feel right.”