Hoxhunt reveals the QR Code Phishing surged in 2023

2023 was the year of QR Phishing as attacks surged by 22X. Nearly non-existent

in 2022, QR Phish comprised roughly one-quarter (22%) of all attacks on our user

network by October 2023. They have since subsided by 5X, as email filters have gotten better at detecting them.

While many know the risks of clicking on a suspicious link or file, fewer are aware that QR codes can also deliver malware or credential harvesters. In a benchmark study of nearly 600,000 employees in 125 countries, Hoxhunt found that just over one-third (36%) of recipients successfully identified and reported the simulated attack, while nearly 2/3 missed it (59%), and 5.5% of employees scanned the QR code or clicked a link. The 5.5% overall simulation failure rate was higher than the roughly 4% global failure rate. Interestingly, over 2.5 times as many users clicked a malicious link in the traditional way than scanned the simulated malicious QR code: 3.9% clicked, and 1.6% scanned. Attackers likely found QR Phishing attractive because they bypassed email filters more effectively than malicious links, although that trend appears to have reversed as email gateways have hardened their defenses against malicious QR codes.

Hoxhunt also uncover the full insight of Phishing and Cyber Behavior Trends 2024 as the eBook which get actionable insights from 1.6 million user clicks on over 15 million phishing simulations, and even more real attacks. To get it Click

This report includes previously unreported metrics on dwell time and real threat detection, helping paint a clearer picture of evolving trends in the phishing landscape and its effect on human cyber behavior.

Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. We combine AI and behavioral science to create individualized micro-training experiences people love. Employees learn to detect and report advanced phishing attacks. Operations teams respond fast with limited resources. And security leaders gain outcome-driven metrics to document reduced cybersecurity risk.