Top QR Code Attack Targets: Construction and Professional Services

Abnormal data shows construction firms and professional service providers are up to 19.2 times and 18.5 times, respectively, more likely to receive QR code attacks than organizations in other industries.
March 22, 2024

Like most advanced email threats, QR code phishing is industry-agnostic. Every organization, regardless of vertical and irrespective of size, is at risk of experiencing a QR code attack.

Nevertheless, our research discovered that two industries in particular seem to be preferred targets for QR code phishing: construction/engineering and professional services. Additionally, we found that smaller organizations experience QR code attacks at a significantly elevated rate compared to larger enterprises.

Read on for more insights from our latest Email Threat Report.

Why Construction and Professional Services Are Popular Quishing Targets

Construction and engineering enterprises are especially vulnerable to cyberattacks in general due to the industry’s historical reluctance to adopt robust data security and privacy regulations. For professional service providers like lawyers, accountants, and business consultants, cybercriminals recognize that gaining entry to their accounts means gaining access to highly confidential data that can either be sold, ransomed, or leveraged for additional attacks.

In the context of QR code attacks, organizations in these sectors are attractive targets for several reasons.

QR Code Attacks by Industry Chart

Based on data collected during the second half of 2023, cybercriminals heavily favorite two strategies in QR code phishing attacks ("quishing"). The first, accounting for approximately 27% of all quishing attacks, involves fraudulent notices related to multi-factor authentication (MFA). The second most popular strategy, used in approximately 21% of all QR code attacks, is to send targets fake notifications of a shared document.

Construction and engineering professionals rely heavily on QR codes in their day-to-day operations to view and record data, track materials and equipment, and share project details. Similarly, professional service providers use QR codes in their offices to accept payments, check in clients, and connect clients with digital resources. Consequently, these employees would not be surprised to receive an email with a request to scan an embedded QR code.

Due to the prevalence of remote work among employees in construction and engineering firms, there is a substantial reliance on mobile devices for accessing project details and sharing documents with other stakeholders. Likewise, professional service providers often work from phones and tablets, necessitating on-demand access to various cloud software solutions via these devices. Therefore, the expiration of multi-factor authentication for these employees can inhibit their ability to do their jobs, and, depending on the context, those delays can be exceptionally costly.

As a result, receiving an email claiming imminent MFA expiration would likely spur them to act quickly without first confirming the authenticity of the message. Additionally, both construction and engineering professionals as well as professional service providers receive notifications of shared documents like contracts and invoices almost daily—if not multiple times a day. This means attackers have ample opportunities to send a malicious email that blends in nearly seamlessly with legitimate communications.

Internal Abnormal data revealed that construction and engineering firms and professional service providers are up to 19.2 times and 18.5 times, respectively, more likely to receive QR code attacks than organizations in other industries.

Smaller Organizations Record Highest QR Code Phishing Attack Rate

Along with construction and engineering firms and professional services providers, smaller organizations also experience QR code attacks at a significantly elevated rate. When comparing the incidence of QR code phishing across different business sizes, the data reveals that organizations with 500 or fewer mailboxes are targeted by quishing attacks at a rate up to 19 times higher than any other size company.

QR Code Attacks by Org Size Chart

There are a number of possible explanations for why this is the case.

Larger organizations often have more advanced technology infrastructures and dedicated IT teams. Threat actors may recognize that smaller organizations, on the other hand, often have limited resources to invest in cybersecurity and therefore have fewer tools to detect and prevent quishing attacks. Accordingly, they may perceive smaller organizations as easier targets due to their potentially weaker security infrastructure and be more inclined to launch attacks against them.

Moreover, smaller organizations may not have the capacity to conduct comprehensive training and education programs. This can create gaps in security awareness and protocols, enabling cybercriminals to manipulate employees into falling victim to QR code phishing attacks. Finally, smaller organizations may have less developed incident response capabilities, making it challenging for them to detect and quickly contain the threat. This delayed response time can give perpetrators more time to carry out their malicious activities.

Protecting Your Organization from QR Code Phishing Attacks

Time and time again, cybercriminals have demonstrated their impressive ability to identify new ways to leverage everyday communication tools as mechanisms for deceiving employees into disclosing private information and completing fraudulent requests. To complicate matters, QR code phishing attacks contain minimal text content and no obvious URL—significantly reducing the number of signals available for traditional security solutions to analyze and use to detect the threat.

AI-native security platforms, on the other hand, not only detect QR codes in emails and extract information from the associated link but also use behavioral signals to recognize anomalies in email patterns that indicate a potential attack. This allows the platform to block malicious messages before they reach employee inboxes—enabling organizations to stay one step ahead of an ever-expanding array of threats.

For more insight into novel attack strategies and emerging cybersecurity risks, download the H1 2024 Email Threat Report.

Get the Report
Top QR Code Attack Targets: Construction and Professional Services

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More