Report Highlights Rising Threat of C-Suite QR Code Attacks
Businesses today are under continuous threat from cyber attacks. With technologies like generative AI (Gen AI) proving to be both a blessing and a curse when it comes to security, cyber threats are one of the most serious challenges faced by businesses today.
One of the main challenges for businesses face is keeping ahead of continually evolving methods of cyber attack. The rise in remote working, for instance, saw an increase in increasingly sophisticated phishing attacks, which don’t necessarily involve traditional IT. One of these mobile-driven attacks, QR Phishing – or quishing – is being increasingly used as a novel social engineering attack.
A cyber threat that is able to bypass the usual checks individuals make to avoid the common signs of phishing, quishing moves a cyberattack from a protected email environment to the user's mobile device, which is often less secure.
A fraudulent QR code might redirect a payment through a convincing third-party website, allowing hackers to capture credit or debit card information and use it to make fraudulent purchases.
Falling victim to attacks of this nature can have significant consequences for businesses, ranging from major IT downtime and business disruption to the loss of important data. According to a report by IBM, phishing attacks like this can prove costly for businesses as well as time consuming, costing firms an average of US$4.65m.
Quishing attacks emerge as a popular tactic among cybercriminals
According to a report by AI-native cloud email security platform Abnormal Security, quishing attacks have emerged as a popular tactic among cybercriminals, with no signs of slowing down.
Although phishing emails have grown in sophistication over time, the end goal has stayed the same: trick targets into divulging sensitive information. QR code attacks are the latest evolution of traditional phishing, where threat actors use social engineering to manipulate targets into interacting with malicious QR codes. In doing so, they may unknowingly provide details that enable the attacker to compromise accounts and launch further attacks.
Examining data collected during the second half of 2023, Abnormal identified attackers’ preferred quishing targets. While every employee is at risk, C-Suite executives were 42 times more likely to receive QR code attacks than the average employee.
In the research report, Abnormal also identified key themes that cybercriminals are using to execute QR code phishing attacks. The most popular are related to multi-factor authentication and access to shared documents: approaches that accounted for 27% and 21% of all QR code attacks respectively. In each of these instances, threat actors attempt to compel recipients to scan a QR code within a fraudulent email, which is linked to a seemingly legitimate website that then prompts the victim to enter login credentials or other sensitive details. The perpetrator can then use the credentials provided to compromise the target’s account and steal data, launch additional attacks, or move laterally to connected applications.
“Leveraging QR codes has become an attractive attack technique for threat actors because they’re effective at evading both human and technology-based detection,” said Mike Britton, Chief Information Security Officer at Abnormal. “While employees have long been trained to avoid clicking on suspicious links, QR codes are an emerging and lesser-known malicious tactic that is unlikely to set off the same level of alarm. And unlike traditional email threats, quishing attacks contain minimal text content and no obvious URL, which significantly reduces the number of signals available for legacy security tools to analyze and use to detect an attack.”
******
Make sure you check out the latest edition of Technology Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Technology Magazine is a BizClik brand
