The Hoxhunt Challenge has unveiled alarming trends in employee susceptibility to phishing attacks, emphasizing the critical role of engagement in reducing human risk.
The study, published today and conducted in 38 organizations across nine industries and 125 countries, revealed that 22% of phishing attacks in the first weeks of October 2023 used QR codes to deliver malicious payloads.
The challenge categorized employee responses into three groups: success, miss and click/scan. Only 36% of recipients successfully identified and reported the simulated attack, leaving the majority of organizations vulnerable to phishing threats. The retail industry had the highest miss rate, with only 2 in 10 employees engaging with the benchmark, while legal and business services outperformed others in identifying and reporting suspicious QR codes.
“QR codes are becoming a ubiquitous part of our everyday life. We all love shortcuts, and QR codes are extremely beneficial and convenient,” commented Timothy Morris, chief security advisor at Tanium. “Users should be extremely suspicious of QR codes that arrive via email.”
As per the Hoxhunt Challenge, job function also affected employee susceptibility, with communications staff being 1.6 times more likely to engage with a QR code attack. In contrast, employees with legal responsibilities were the most vigilant.
Engaged employees (defined as those who feel passionate about their jobs) had a miss rate of 40%, a stark contrast from those not actively invested in their job responsibilities and the organization, who had a miss rate of 90%. Additionally, employees who completed onboarding and received pre-training also displayed better vigilance in identifying phishing emails.
The key takeaway from the Hoxhunt Challenge is the importance of continuous training in cybersecurity, emphasizing the need for training that includes initial onboarding and regular refresher courses. Failure to provide such training increases susceptibility to cybersecurity threats and puts organizational data at risk.
“There is no real security built into QR codes themselves and [they] should be treated as such when threat modeling applications that use them,” warned Georgia Weidman, security architect at Zimperium.
“If your organization uses QR codes for authentication, it is important to be aware of the kinds of attacks that attackers are using and to implement mitigation strategies for them.”
QR codes were also explored in a blog post published by SlashNext on Wednesday that reported the growing risks related to quishing (QR code phishing) and QRLJacking, underscoring the emerging cybersecurity challenges posed by QR codes as an attack vector.