QR code attacks surge on C-Suite executives, reveals Abnormal Security report
San Francisco-based AI-native cloud email security platform Abnormal Security released its H1 2024 Email Threat Report. The report reveals a noticeable rise in QR code attacks (also known as quishing attacks) is becoming a popular tactic among cybercriminals with no signs of any regression. These modern cyberattacks are an ingenious adaptation of traditional phishing, where attackers manipulate targets into engaging with malevolent QR codes, often compromising accounts and executing further attacks.
Data scrutiny from the latter half of 2023 highlights a worrying trend. Cybercriminals are particularly targeting C-Suite executives, with these high-ranking officials being 42 times more likely to fall victim to QR code scams than a typical employee. Moreover, specific industries are being disproportionately affected. Both the construction and engineering sectors, along with small businesses comprising 500 or fewer email users, are enduring attacks at nineteen times the rate of other industries and larger firms.
In the report, Abnormal Security outlined that cybercriminals are using multi-factor authentication and access to shared documents-related themes to realise QR code phishing attacks—the two approaches account for 27% and 21% of all QR code attacks respectively. Following this pattern, the adversaries employ these methods to persuade the recipients to scan a fraudulent QR code connected to a deceptively genuine website, asking for the victim's login credentials or other sensitive details ineptly. The offenders can compromise the target's account to steal data, instigate more attacks, or spread horizontally to linked applications.
Mike Britton, CISO at Abnormal, commented: "Abusing QR codes is an attractive attack mode for threat actors because they're effective at dodging both human and technology-based perception. Employees have been instructed for many years to abstain from clicking on suspicious connections, but QR codes are an emerging and lesser-known malicious tactic that doesn't raise the same level of panic." He adds, "Unlike traditional email threats, quishing attacks have minimum text content and no apparent URL, substantially reducing the number of triggers legacy security tools could scrutinise and detect an attack."
The investigation also divulged a considerable growth in the number of business email compromise (BEC) and vendor email compromise (VEC) attacks, with the volume of BEC doubling and VEC soaring by 50% from the previous year. This evolving threat landscape indicates a grave concern for all organisations, regardless of size—companies with as few as 1,000 employees have a 70% likelihood of encountering at least one BEC attack weekly, while those employing over 50,000 personnel have almost a 100% probability of a BEC attack every week.
In conclusion, Britton gleaned, "Today's organisations are under the manifold pressure of advanced attacks—both with the burgeoning tactics like malicious QR codes, and with the consistent ascent of socially-engineered BEC and VEC attacks. These threats are increasing; moreover, they're evolving, targeting organisations and their staff in ways they least expect. Security awareness training alone won't suffice, as these strategies are changing quicker, and cybercriminals are discovering innovative methods to exploit human behaviour. As such, it's crucial for security leaders to equip their organisations with the most sophisticated and adaptive threat detection tools to keep them abreast and ideally, ahead of modern cybercrime."