Top QR Code Attack Targets: Construction and Professional Services

Like most advanced email threats, QR code phishing is industry-agnostic. Every organization, regardless of vertical and irrespective of size, is at risk of experiencing a QR code attack.

Nevertheless, our research discovered that two industries in particular seem to be preferred targets for QR code phishing: construction/engineering and professional services. Additionally, we found that smaller organizations experience QR code attacks at a significantly elevated rate compared to larger enterprises.

Read on for more insights from our latest Email Threat Report.

Construction and engineering enterprises are especially vulnerable to cyberattacks in general due to the industry’s historical reluctance to adopt robust data security and privacy regulations. For professional service providers like lawyers, accountants, and business consultants, cybercriminals recognize that gaining entry to their accounts means gaining access to highly confidential data that can either be sold, ransomed, or leveraged for additional attacks.

In the context of QR code attacks, organizations in these sectors are attractive targets for several reasons.

Based on data collected during the second half of 2023, cybercriminals heavily favorite two strategies in QR code phishing attacks ("quishing"). The first, accounting for approximately 27% of all quishing attacks, involves fraudulent notices related to multi-factor authentication (MFA). The second most popular strategy, used in approximately 21% of all QR code attacks, is to send targets fake notifications of a shared document.

Construction and engineering professionals rely heavily on QR codes in their day-to-day operations to view and record data, track materials and equipment, and share project details. Similarly, professional service providers use QR codes in their offices to accept payments, check in clients, and connect clients with digital resources. Consequently, these employees would not be surprised to receive an email with a request to scan an embedded QR code.

Due to the prevalence of remote work among employees in construction and engineering firms, there is a substantial reliance on mobile devices for accessing project details and sharing documents with other stakeholders. Likewise, professional service providers often work from phones and tablets, necessitating on-demand access to various cloud software solutions via these devices. Therefore, the expiration of multi-factor authentication for these employees can inhibit their ability to do their jobs, and, depending on the context, those delays can be exceptionally costly.

As a result, receiving an email claiming imminent MFA expiration would likely spur them to act quickly without first confirming the authenticity of the message. Additionally, both construction and engineering professionals as well as professional service providers receive notifications of shared documents like contracts and invoices almost daily—if not multiple times a day. This means attackers have ample opportunities to send a malicious email that blends in nearly seamlessly with legitimate communications.

Internal Abnormal data revealed that construction and engineering firms and professional service providers are up to 19.2 times and 18.5 times, respectively, more likely to receive QR code attacks than organizations in other industries.

Along with construction and engineering firms and professional services providers, smaller organizations also experience QR code attacks at a significantly elevated rate. When comparing the incidence of QR code phishing across different business sizes, the data reveals that organizations with 500 or fewer mailboxes are targeted by quishing attacks at a rate up to 19 times higher than any other size company.

There are a number of possible explanations for why this is the case.

Larger organizations often have more advanced technology infrastructures and dedicated IT teams. Threat actors may recognize that smaller organizations, on the other hand, often have limited resources to invest in cybersecurity and therefore have fewer tools to detect and prevent quishing attacks. Accordingly, they may perceive smaller organizations as easier targets due to their potentially weaker security infrastructure and be more inclined to launch attacks against them.

Moreover, smaller organizations may not have the capacity to conduct comprehensive training and education programs. This can create gaps in security awareness and protocols, enabling cybercriminals to manipulate employees into falling victim to QR code phishing attacks. Finally, smaller organizations may have less developed incident response capabilities, making it challenging for them to detect and quickly contain the threat. This delayed response time can give perpetrators more time to carry out their malicious activities.

Time and time again, cybercriminals have demonstrated their impressive ability to identify new ways to leverage everyday communication tools as mechanisms for deceiving employees into disclosing private information and completing fraudulent requests. To complicate matters, QR code phishing attacks contain minimal text content and no obvious URL—significantly reducing the number of signals available for traditional security solutions to analyze and use to detect the threat.

AI-native security platforms, on the other hand, not only detect QR codes in emails and extract information from the associated link but also use behavioral signals to recognize anomalies in email patterns that indicate a potential attack. This allows the platform to block malicious messages before they reach employee inboxes—enabling organizations to stay one step ahead of an ever-expanding array of threats.

For more insight into novel attack strategies and emerging cybersecurity risks, download the H1 2024 Email Threat Report.