The True Costs of QR Code Phishing
Home / Phishing Protection / The True Costs of QR Code Phishing
Cybercrime is a massive industry, so large that recent estimates expect the cost of cybercrime to the global economy to top $10.5 trillion (USD) annually by 2025. Within these figures squarely sits one of the latest techniques used to extort data and money, QR Code Phishing. But just how big a revenue generator is QR code phishing or Quishing for cyber criminals? And can businesses do anything to stop their data and money from being stolen using a malicious QR code?
Protect Your Business from QR Code Phishing - Book a Demo with PhishTitan Today!
Book Demo NowQR codes are convenient and easy for people, including employees, to use. They are also easily generated by a company, which can be used to convey information, including a website link quickly. Add to this the popularity of a productivity app like Microsoft 365, and you have a perfect environment for QR code phishing. However, convenience and popularity come at a price: QR code scammers are increasingly targeting companies and Office 365 users.
QR code phishing is making a lot of noise because of the damage it causes to companies worldwide. Like its conventional phishing counterpart, Quishing or QR code phishing uses behavioral control tactics such as trust, urgency, and fear of missing out to manipulate users.
One of the most concerning QR code-based attacks for business users is a recent Microsoft Office attack. Cybercriminals target Microsoft Office users by sending phishing emails to employees that contain links to an "important document" waiting in the employees' Microsoft 365 accounts. A similar Microsoft 365 scam replaced a link to a document with a voice message link instead. The phishing email contains a QR code, and the employee must scan the QR code to access the document or message. Once scanned, the QR code reveals a URL that, when clicked, redirects the employee to a fake Microsoft 365 login page. If the employee enters their login credentials, the hacker behind the scam simply takes them and uses them to log in to the real Microsoft 365.
Yet another Microsoft 365 scam involves a QR code within a PDF attachment in an email. On scanning the QR code, an employee is taken to a URL designed to steal session tokens; this then redirects the user to a gateway where a malicious Office sign-in page is presented. If the user enters their credentials, they are stolen and used to compromise the real Microsoft 365 account. One large US energy company found itself the target of this type of QR code phishing. The company found that 29% of over 1000 emails contained malicious QR codes. The QR code attack on the company took the form of a phishing email that contained a PNG image or PDF attachment with a QR code. The message used behavioral manipulation, including urgency, to trick recipients into scanning the QR code to verify their Microsoft 365 account.
Microsoft 365 scams can be as simple as a QR code. QR code scams can involve multi-part elements, creating a sophisticated attack involving emails containing PDF attachments containing QR codes, redirecting users through several malicious URLs to ultimately steal credentials.
Notably, IBM found that 30% of all cyber incidents in 2023 involved the abuse/theft of valid credentials. Whatever route the hackers take, the result costs money, either in time, resources, or direct cyber-attack costs.
Like any cyber-attack, QR code phishing brings a myriad of damages that result in onerous costs for a targeted company. Costs stack up when you add in the impacts of QR code phishing:
QR code phishing is just another form of phishing, but one that is even more difficult to detect. Taking some of these outcomes of conventional phishing provides an insight into the costs of QR code phishing:
Data Breach: According to IBM, the average cost of a data breach in 2023 was $4.45 million (USD).
Business Email Compromise (BEC): BEC scams are the most expensive, coming in, on average costing $4.89 million (USD).
Ransomware: According to Sophos, in 2023, it cost companies an average of $1.82 million to recover from a ransomware attack.
Phishing is used in most cyber-attacks (90%), including ransomware, data breaches, and BEC scams. Adding a QR code to a trusted brand like Office 365 emails and phishing becomes a success; the subsequent costs will be as damaging.
Protect Your Business from QR Code Phishing - Book a Demo with PhishTitan Today!
Book Demo NowSmall companies may feel safe from the specter of QR code phishing, but the statistics show they are not. Insurers Hiscox explored the issues of a cyberattack on small UK companies using their live attack system. The research shows that in the UK, small companies are being attacked around 65,000 times per day, many of the attacks in the form of phishing. On average, the basic clear-up costs of a successful attack cost a small UK business around £25,700 ($33,700) per attack. This does not include intangible costs such as damage to reputation and lost customers.
Even at the personal level, QR code scams are costing individuals thousands. A recent spate of car park QR code scams has cost drivers thousands. The scammers replace legitimate QR codes used to pay for parking with malicious QR codes that take drivers to fake websites to steal credit card information.
Research into M365 native security found that almost 20% of phishing emails could evade detection by Microsoft 365 Exchange Defender and Microsoft Exchange Online Protection (EOP).
While Microsoft native security can help mitigate phishing attacks, a more advanced system that uses AI is required to identify evasive tactics that use QR codes. QR codes are chosen to circumvent the traditional security approach. The malicious content in QR codes is deeply embedded in the code image, making it hard to detect dangerous URLs.
PhishTitan is the next generation of anti-phishing solutions. PhishTitan goes beyond the boundaries of an SEG to provide Integrated Cloud Email Security (ICES). An ICES is a cloud-based, integrated solution using advanced technologies for anti-phishing detection. These technologies include AI, machine learning, and natural language processing (NLP). Even sophisticated and multi-part phishing threats that use QR codes and out-of-band mobile elements can be detected using PhishTitan's advanced AI-powered technology. Important features that allow PhishTitan to kill QR code phishing include:
QR code phishing often deploys dynamic content generation. This clever tactic means a malicious payload can rapidly change to avoid detection. This is known as a zero-minute phishing threat. PhishTitan's advanced AI-enabled anti-phishing detection uses a vast training corpus to identify predictable patterns in QR code evasion.
Often, unusual behavioral patterns can pinpoint an attack that uses evasive techniques like QR code scams. Advanced anti-phishing solutions, like PhishTitan, provide behavioral analysis that identifies unusual user behavior as they interact with QR codes. ICES solutions use techniques such as NLP to detect suspicious behaviors and patterns and alert administrators of a potential phishing attack.
QR codes often take users to malicious websites, and the URL associated with the QR code steals data or installs malware. PhishTitan automatically checks the website presented by the QR code for malicious activity. These checks are performed in real time. If the URL points to a phishing site, the employee will be prevented from opening the site.
Talk to TitanHQ's experts to understand how you can stop QR code phishing from costing your company thousands.
Protect Your Business from QR Code Phishing - Book a Demo with PhishTitan Today!
Book Demo Now
