QR Codes Utilized in 22% of Phishing Incidents
Oct 26, 2023

The Hoxhunt Challenge has unearthed disquieting patterns when it comes to employees' vulnerability to phishing attacks, underscoring the pivotal significance of engagement in minimizing human risk.


The study, unveiled on 19 OCT 2023 and conducted across 38 organizations representing nine diverse industries across 125 countries, has unveiled that during the initial weeks of October 2023, a substantial 22% of phishing attacks took advantage of QR codes as a conduit for disseminating harmful payloads.



The challenge stratified employee responses into three distinct categories: success, miss, and click/scan. A mere 36% of recipients successfully discerned and reported the simulated attack, leaving a significant proportion of organizations exposed to the perils of phishing. Notably, the retail industry displayed the highest miss rate, with only 2 out of 10 employees effectively engaging with the established benchmark, while the legal and business services sectors outperformed their counterparts in identifying and reporting suspicious QR codes.


QR codes have seamlessly integrated into our daily routines, becoming increasingly ubiquitous. We all appreciate the convenience of shortcuts, and QR codes certainly offer significant advantages. However, users should exercise a high degree of caution when encountering QR codes delivered via email.


According to findings from the Hoxhunt Challenge, the nature of an employee's job also played a role in their susceptibility, as communication professionals were 1.6 times more inclined to fall for a QR code attack. Conversely, employees with legal responsibilities displayed the highest level of vigilance.


Highly engaged employees, characterized by their strong passion for their work, exhibited a notably lower miss rate at 40%. This starkly contrasts with those employees who lacked active investment in their job roles and the organization, and they experienced a significantly higher miss rate of 90%. Furthermore, employees who underwent thorough onboarding and received pre-training also demonstrated improved vigilance in detecting phishing emails.


QR codes inherently lack robust security and should be regarded as such when assessing the security of applications that utilize them. For organizations employing QR codes for authentication, it is vital to stay informed about the various attack methods employed by threat actors and to proactively implement mitigation measures.


QR codes were further discussed in a blog post released by SlashNext on Wednesday, which highlighted the escalating risks associated with 'quishing' (QR code phishing) and 'QRLJacking.' This sheds light on the emerging cybersecurity threats linked to QR codes as a potential attack vector.

QR Codes Utilized in 22% of Phishing Incidents