C-level executives and others in managerial positions are by far the top targets of increasingly popular phishing attacks that involve malicious QR codes.

According to researchers with Abnormal Security, members of the C-suite in the fourth quarter of 2023 were 42 times more likely to receive a QR code phishing – or “quishing” – attack than non-executive employees. Those non-C-level positions, like executive and senior vice presidents or department heads, are five times more likely.

Bad actors know that if they can get into the email of a highly placed executive, it opens up all sorts of pathways to a company’s systems and data, Callie Hinman Baron, content marketing manager for the email security vendor, wrote in a blog post this week.

“Acquiring the login credentials of one of these individuals yields substantial benefits to an attacker,” Baron wrote. “Besides the IT Director, executives likely have the high level of app permissions of any member of the organization. They also have direct access to a wealth of confidential and valuable information.”

Given that, “a successful QR code phishing attack on an executive would give a bad actor the ‘keys to the kingdom,’ allowing them to infiltrate every inch of an organization’s network,” she wrote.

In addition, if a hacker can compromise an executive’s account, they can send fake requests to people inside and outside of the company who will see the name of the executive sending the email and likely open it and complete the request without question.

“Threat actors also recognize that often multiple people have access to an executive’s inbox, such as executive assistants,” Baron wrote. “Consequently, every individual who knows the login credentials for a VIP’s inbox represents a potential entry point that can be exploited by an attacker.”

The focus on quishing and executives are part of Abnormal Security’s H1 2024 Email Threat Report.

QR Codes Help Hackers Get Past Protections

In quishing campaigns, hackers often will email their malicious QR code that links to what seems like a legitimate website that often look like a Microsoft or Google login page, complete with a prompt to enter login credentials or similar sensitive information. The attacker can then use the information to compromise the email account and launch more attacks.

QR codes have been around since the early 1990s and threat groups have been using fraudulent QR codes in their scams for several years. However, the use of QR codes picked up steam during the COVID-19 pandemic, with businesses using them for such everything from restaurant menus to contactless payments systems in hopes of slowing the spread of the virus, which increased the comfort among people for using them.

“As a result, receiving an email with a request to scan an embedded QR code to reset an expiring password or access important documents is now unlikely to raise any red flags – and attackers know this,” she wrote.

They also know that using QR codes may help them slip past the messages employees constantly hear in cybersecurity awareness training to avoid clicking on links in emails they weren’t expecting to receive.

“Utilizing QR codes accomplishes the same goal of redirecting targets to a phishing page but makes the circumstances just different enough that the message may not set off alarms for the target the way a standard link-based phishing attack might,” Baron wrote.

There are other benefits for bad actors. Replacing hyperlinks in phishing attacks with QR codes makes it more likely the phishing message will get past legacy email security solutions, in large part because the emails contain minimal content and no obvious URL, so the number of signals that the security tools typically pick out and analyze to detect an attack aren’t there.

Also, “a link-based phishing attack keeps the target on the same device, within the purview of the organization of its security controls,” she wrote. “Using a QR code, on the other hand, moves the attack to the target’s mobile device, which lacks the lateral protection and posture management available in a cloud-based business environment.”

Quishing on the Rise

In a report late last year, SlashNext researchers noted that security experts had seen a 50% jump in QR code-based phishing attempts in the previous months. The FBI said in an advisory last year that it had begun seeing more reports of people who were victimized by fraudulent QR code-based attacks. Cybersecurity firm Hoxhunt in October 2023 reported that QR codes were used in 22% of the phishing campaigns it detected in the first weeks of the month.

Abnormal researchers found that 89.3% of QR code attacks they detect are aiming to steal credentials, such as usernames and passwords.

In the second half of last year, Abnormal researcher saw cybercriminals favoring two strategies. One, which accounted for about 27% of all quishing attacks, used fake notices related to multifactor authentication (MFA). The other – in about 21% of attacks – involved sending fraudulent notifications of a shared document. In the report, Abnormal showed common ways such attacks occurred using Microsoft and DocuSign as lures.

Construction and engineering firm and professional service provides were the most popular targets of quishing campaigns, up to 19.2 and 18.5 times, respectively, more likely to see such attacks than organizations in other industries. The problem for construction and engineering companies is they are known to be slow in adopting robust data security and privacy regulations.

Meanwhile, getting into the accounts of professional service providers means access to confidential information that can be sold, ransomed, or use in other attacks, the report’s authors wrote. Also, companies in both industries there is widespread remote work and use of mobile devices.

Abnormal also found that smaller companies – those with 500 or fewer mailboxes – experience 19 times more quishing attacks than others.