Hooked: A Real-World Study on QR Code Phishing

TL;DR

This study investigates the effectiveness of QR code phishing attacks in real-world settings, revealing that professionally designed codes attract more attention and pose significant risks, especially to non-technical users.

Contribution

It provides empirical evidence on QR code phishing effectiveness and user perceptions, highlighting the need for improved countermeasures against this attack vector.

Findings

Professional QR codes attract more user attention

Curious users scan QR codes more frequently

Technical awareness reduces phishing susceptibility

Abstract

The usage of quick response (QR) codes was limited in the pre-era of the COVID-19 pandemic. Due to the widespread and frequent application since then, this opened up an attractive phishing opportunity for malicious actors. They trick users into scanning the codes and redirecting them to malicious websites. In order to explore whether phishing with QR codes is another successful attack vector, we conducted a real-world phishing campaign with two different QR code variants at a research campus. The first version was rather plain, whereas the second version was more professionally designed and included the possibility to win a voucher. After the study was completed, a qualitative survey on phishing and QR codes was conducted to verify the results of the phishing campaign. Both, the phishing campaign and the survey, show that a professional design receives more attention. They also illustrate that QR codes are used more frequently by curious users because of their easy functionality. Although the results confirm that technical-savvy users are more aware of the risks, they also underpin the malicious potential for non-technical-savvy users and suggest further work regarding countermeasures.