C-Suite Under Siege: Data Shows Execs Receive 42x More QR Code Attacks

QR code phishing, the newest iteration of phishing, is a type of social engineering attack in which a threat actor attempts to trick a target into interacting with a malicious QR code. Also known as quishing, these attacks represent the latest in a long line of malicious initiatives designed by enterprising threat actors to evade organizational security measures and manipulate targets.

Today Abnormal released our H1 2024 Email Threat Report, which explores the latest email attack trends, including the emergence of malicious QR codes in phishing attacks.

Quishing attacks involve emailing a malicious QR code that is linked to what appears to be a legitimate website (often an emulation of a Google or Microsoft login page) with a prompt to enter login credentials or other sensitive details. Unfortunately, any information provided can then be used by the perpetrator to compromise the target’s account and launch additional attacks.

While malicious QR codes sent via email can be used for a variety of purposes, they are primarily utilized for credential phishing. Indeed, 89.3% of QR code attacks detected by Abnormal are credential phishing attacks. This precipitous rise of bad actors using malicious QR codes to steal sensitive data is driven by multiple factors.

First, consider the fact that for the past three and a half years, QR codes have been everywhere. Although this technology was invented in 1994, at no point pre-2020 did QR codes have anywhere near the omnipresence they do now. We scan QR codes to view menus at restaurants, check in at appointments, and make contactless payments. As a result, receiving an email with a request to scan an embedded QR code to reset an expiring password or access important documents is now unlikely to raise any red flags—and attackers know this.

Second, a pillar of cybersecurity awareness training is to emphasize to end users why they should avoid clicking on links in emails they weren’t expecting to receive. Utilizing QR codes accomplishes the same goal of redirecting targets to a phishing page but makes the circumstances just different enough that the message may not set off alarms for the target the way a standard link-based phishing attack might.

From a technology standpoint, threat actors recognize that replacing hyperlinks with QR codes in phishing attacks improves the likelihood of the message bypassing legacy email security solutions. Unlike traditional email threats, quishing attacks contain minimal text content and no obvious URL, which significantly reduces the number of signals available for legacy security tools to analyze and use to detect an attack.

Further, a link-based phishing attack keeps the target on the same device, within the purview of the organization and its security controls. Using a QR code, on the other hand, moves the attack to the target’s mobile device, which lacks the lateral protection and posture management available in a cloud-based business environment.

Based on data collected during the second half of 2023, approximately 27% of all quishing attacks involved fraudulent notices related to multi-factor authentication (MFA). Below is an example of a QR code phishing attempt detected and blocked by Abnormal.

In this attack, the perpetrator states the target’s MFA method is expiring and needs to be reauthenticated. To establish trust, the attacker impersonates Microsoft’s real branding, including the company’s logo, font, and footer, and incorporates the theme of the attack into the sender name. They also create a sense of urgency by informing the target their MFA method must be reauthenticated that day or they will lose access to Microsoft 365 applications.

This example illustrates just some of the tactics threat actors use to bypass traditional email solutions and increase the appearance of legitimacy of their malicious messages to defraud employees.

Although every employee is a potential quishing target, our research revealed that members of the C-Suite were 42 times more likely to receive a QR code phishing attack than a non-executive employee. Non-C-Suite VIPs, such as executive vice presidents, senior vice presidents, and department heads, were also heavily targeted, with an attack rate more than five times that of non-executive employees.

Acquiring the login credentials of one of these individuals yields substantial benefits to an attacker. Besides the IT Director, executives likely have the highest level of app permissions of any member of the organization. They also have direct access to a wealth of confidential and valuable information. In other words, a successful QR code phishing attack on an executive would give a bad actor the “keys to the kingdom,” allowing them to infiltrate every inch of an organization’s network.

Not only that, using the executive’s compromised account, a cybercriminal could send fraudulent requests to internal and external parties who might not think twice about completing the requests since they seemingly came from a VIP. Threat actors also recognize that often multiple people have access to an executive’s inbox, such as executive assistants. Consequently, every individual who knows the login credentials for a VIP’s inbox represents a potential entry point that can be exploited by an attacker.

The emergence of malicious QR codes in phishing emails underscores one of the unfortunate truths of cybersecurity: if an element of email can be utilized for nefarious purposes, attackers will learn how to exploit it.

With each new development in the attack landscape, it becomes increasingly evident that legacy systems like secure email gateways (SEGs) are ill-equipped to defend against the evolving tactics of cybercriminals. Organizations must recognize the limitations of SEGs and invest in modern solutions that use AI-native detection engines to stop new and emerging threats like QR code phishing.

AI-native security platforms are not only able to detect QR codes in emails and parse the associated link but also utilize behavioral signals to spot anomalies in email patterns that indicate a potential attack. This allows the solution to block sophisticated threats before they reach employee inboxes. By leveraging advanced behavioral science and risk-adaptive detection, organizations can enhance their security posture and stay one step ahead of an ever-expanding array of threats.

For more insight into QR code phishing attacks and the current email threat landscape, download our H1 2024 Email Threat Report.