The challenge stratified employee responses into three distinct categories: success, miss, and click/scan. A mere 36% of recipients successfully discerned and reported the simulated attack, leaving a significant proportion of organizations exposed to the perils of phishing. Notably, the retail industry displayed the highest miss rate, with only 2 out of 10 employees effectively engaging with the established benchmark, while the legal and business services sectors outperformed their counterparts in identifying and reporting suspicious QR codes.

QR codes have seamlessly integrated into our daily routines, becoming increasingly ubiquitous. We all appreciate the convenience of shortcuts, and QR codes certainly offer significant advantages. However, users should exercise a high degree of caution when encountering QR codes delivered via email.

According to findings from the Hoxhunt Challenge, the nature of an employee's job also played a role in their susceptibility, as communication professionals were 1.6 times more inclined to fall for a QR code attack. Conversely, employees with legal responsibilities displayed the highest level of vigilance.

Highly engaged employees, characterized by their strong passion for their work, exhibited a notably lower miss rate at 40%. This starkly contrasts with those employees who lacked active investment in their job roles and the organization, and they experienced a significantly higher miss rate of 90%. Furthermore, employees who underwent thorough onboarding and received pre-training also demonstrated improved vigilance in detecting phishing emails.

QR codes inherently lack robust security and should be regarded as such when assessing the security of applications that utilize them. For organizations employing QR codes for authentication, it is vital to stay informed about the various attack methods employed by threat actors and to proactively implement mitigation measures.