A recent study conducted by the Hoxhunt Challenge revealed concerning trends in employee susceptibility to phishing attacks involving QR codes [1] [4]. This study included research from 38 organizations across nine industries and 125 countries [1] [4].


The study found that QR codes were used in 22% of phishing attacks, making them a potential attack vector for delivering malicious payloads. Only 36% of recipients successfully identified and reported a simulated QR code phishing attack [2], leaving many organizations vulnerable [1] [4]. The manufacturing industry was found to be the most susceptible to QR code phishing, while the legal [4], professional [2], and business services sectors performed better in reporting the benchmark simulation [2].

The importance of ongoing cybersecurity training was emphasized, starting with onboarding and supplemented by regular refresher courses [4]. These sessions should cover the latest threats [2], vulnerabilities [1] [2] [4], and best practices and be conducted at least every six months [2]. By investing in such training, organizations can improve their cybersecurity posture and reduce their vulnerability to cyber threats.

The Hoxhunt Challenge [1] [3] [4], a project that tests the cybersecurity risks associated with human behavior in large companies [3], specifically focuses on simulating QR-based phishing attacks to assess employee readiness [3]. In a recent three-week test [3], it was found that 36% of employees were able to identify and report the simulated phishing messages [3], while over half of the employees failed to recognize the threat [3]. Additionally, 5% of employees scanned the malicious QR code or clicked on a link [3].


The study highlights the need for organizations to address employee susceptibility to QR code phishing attacks. Continuous training for employees is crucial in preventing such attacks and should be prioritized. The findings also underscore the importance of regular updates on the latest threats, vulnerabilities [1] [2] [4], and best practices [2]. By taking these measures, organizations can enhance their cybersecurity posture and reduce their vulnerability to cyber threats in the future.


[1] https://www.infosecurity-magazine.com/news/qr-codes-used-22-phishing-attacks/
[2] https://betanews.com/2023/10/19/qr-codes-used-in-22-percent-of-phishing-attacks/
[3] https://securityboulevard.com/2023/10/use-of-qr-codes-in-phishing-campaigns-is-on-the-rise/
[4] https://www.linkedin.com/pulse/qr-codes-used-22-phishing-attacks-cybercastrumllp