One Year Later: Is QR Code Phishing a Fleeting Risk or an Enduring Threat?

QR code phishing attacks dominated headlines in the summer and fall of 2023, and the statistics were alarming.

Attackers understood that QR codes were increasingly used for everything from marketing campaigns to file sharing. They also understood that the detection of malicious QR codes was difficult. With typically limited text content and a heavy reliance on image attachments, malicious QR codes can more easily evade detection.

The news cycle may have moved on from QR code attacks, but have attackers? Are QR codes still widely used to exploit individuals and organizations? Let’s take a look at the data.

Abnormal protects more than 2,500 organizations, including 17% of the Fortune 500. This means we detect a lot of attacks. We’ve examined the attack data and identified some interesting trends related to QR code attacks—including the fact that malicious QR codes are still used in 1.9% of advanced attacks.

Among the QR code attacks we've detected, the distribution by attack type is as follows:

• Credential phishing attacks make up 86% of all advanced QR code threats.
• Internal-to-internal phishing attacks account for 6%, though these have sharply declined since early 2024.
• Scam attacks and malware attacks each represent 1% of the total advanced QR code threats.

Without a doubt, threat actors are not calling it quits on malicious QR codes.

Real-World Example of Recent QR Code Phishing Attack

In this QR code phishing attack recently detected and stopped by Abnormal, the attacker impersonates the HR department, urging employees to scan a QR code that supposedly reveals a new bonus distribution strategy. However, the QR code actually directs them to a phishing page designed to mimic a Microsoft login page. If an employee visits this page and enters their credentials, the attacker will have successfully stolen their login information.

The twist in this attack is that the entire email content is presented as an image, with all of the text embedded within it. Attackers frequently use this tactic in QR code attacks because it can bypass basic email detection systems.

One of the standout features of Abnormal’s AI detection engine is its ability to analyze behavioral signals, which enables the platform to identify anomalies in sender attributes, recipient behavior, and signals from attachments or links. Even before the recent surge in QR code attacks, Abnormal was already intercepting thousands of these threats every week.

Abnormal provides a powerfully complete solution to QR code attacks with its one-two punch of human behavior AI and a dedicated QR code detector. As QR code attacks became a significant concern in the security landscape last year, Abnormal responded by further enhancing its detection capabilities. Additional resources were allocated to release a QR code detector capable of identifying the presence of QR codes in attachments and extracting the embedded links. This advancement not only addressed market concerns but also strengthened Abnormal’s defenses against even the most sophisticated QR code attacks.

These efforts were recognized with the prestigious CRN 2024 Tech Innovator Award in the email and web security category, underscoring Abnormal Security’s leadership in the field.

Attackers continue to leverage QR codes as a vector for advanced phishing schemes, especially in credential harvesting and other targeted attacks. The deceptive simplicity of QR codes, coupled with their ability to bypass traditional detection methods, ensures they remain a viable tool in the cybercriminal arsenal.

Security teams must stay vigilant, recognizing that even as attack methods evolve, QR codes still pose a significant risk to both individuals and organizations. Abnormal's ongoing commitment to enhancing its detection capabilities—exemplified by its award-winning QR code detector—demonstrates the importance of staying ahead of these threats. QR code phishing continues to be an enduring threat that requires proactive and advanced security measures to mitigate.

See for yourself how Abnormal can protect your organization from enduring and emerging threats. Schedule a demo today.