New Hoxhunt data suggests that quick response barcodes are increasingly used in these attacks.
QR codes are increasingly finding their way into use in phishing attacks, says data from the human risk management platform Hoxhunt, which spotted the barcodes in 22 percent of attacks of this nature on its client network during the first part of this month.
The data was based on the results of the first weeks of October 2023 from a pool of almost 600,000 employees.
Hoxhunt conducted a study on attacks made against almost 600,000 employees of varying seniority during the first part of October. The employees were from a number of participating organizations within large industries.
What they found was that 36 percent of the participants were able to successfully identify and report phishing attacks containing the barcodes. That said, another 59 percent were unable to recognize the attacks as threats. A further 5.5 percent of the participants either scanned the QR codes in the attacks or clicked on accompanying links.
The findings showed that the likelihood of scanning the QR codes and spotting the scam differed among employees.
The study showed that the industry and job function of an employee played a role in whether the individual would successfully identify and report an attack, fail to identify it but not take any action, or scan the quick response barcodes or click accompanying links.
Companies in business services and legal services sectors were the most likely to successfully spot and report phishing attacks that had QR codes. They did so 63 percent of the time. Comparatively, those in IT were 44 percent likely to do so, and in retail, that number fell to 18 percent, the lowest among all the industries. Within the retail industry, 79 percent of employees were likely to miss identifying a phishing attack.
Among specific job functions, it was legal staff that had the highest likelihood of identifying and reporting phishing attacks with quick response codes, as 78 percent did so. Those working in communications had a likelihood of 64 percent and were the job function with the lowest likelihood. Communications staff were also the most likely to scan the barcode (1.5 percent) or click the accompanying phishing link (3.3 percent).
