In a recent report published by Abnormal Security, a leading AI-native cloud email security platform, concerning trends in email threats for the first half of 2024, a disturbing rise in QR code attacks, also known as “quishing,” has been observed, highlighting the evolving tactics of cybercriminals.
“Despite advancements in email security, cybercriminals continue to innovate, exploiting new techniques like QR code attacks to infiltrate organisations,” said Mike Britton, Chief Information Security Officer at Abnormal Security. “These attacks, coupled with the persistent growth of BEC and VEC threats, underscore the need for organisations to bolster their defences with advanced threat detection tools.”
QR code attacks represent the latest iteration of phishing tactics, leveraging social engineering to deceive targets into interacting with malicious QR codes embedded in fraudulent emails. According to Abnormal Security’s research, C-Suite executives were a staggering 42 times more likely to be targeted by QR code attacks compared to the average employee.
Furthermore, the report revealed a targeted focus on specific industries, with the construction and engineering sector experiencing a 19-fold increase in quishing (QR + Phishing) attacks compared to other verticals. Additionally, small organisations with 500 or fewer mailboxes were 19 times more likely to be targeted by QR code attacks, highlighting the vulnerability of businesses of all sizes.
Key themes identified in QR code phishing attacks revolved around multi-factor authentication and access to shared documents, with attackers employing sophisticated tactics to compel recipients to scan malicious QR codes leading to fraudulent websites. Unlike traditional email threats, QR code attacks evade detection by containing minimal text content and no obvious URLs, making them harder to identify using legacy security tools.
The report also shed light on the escalating prevalence of business email compromise (BEC) and vendor email compromise (VEC), with BEC incidents doubling in frequency and VEC surging by 50% year-over-year. Larger organisations faced the highest risk of BEC attacks, while the construction and retail industries were prime targets for VEC attacks.
Britton emphasised the urgency for organisations to adopt advanced threat detection solutions to combat evolving cyber threats effectively. As cybercriminal tactics evolve rapidly, security leaders must prioritise adaptive security measures to safeguard against modern cybercrime and protect sensitive information from exploitation.
