Litcius/Paper detail

Phishing with Malicious QR Codes

Filipo Sharevski, Amy Devine, Emma Pieroni, Peter Jachim

202231 citationsDOI

Abstract

The use of QR codes for malicious purposes was rather limited in the pre-COVID-19 world. That changed overnight, as the QR codes became a convenient go-between for sharing URLs, including malicious ones. This opens an attractive new way of phishing as QR codes are now widespread. To explore phishing with QR codes (i.e. quishing), we conducted a 173-participant study where we used a COVID-19 digital passport sign-up trial with a malicious QR code as a pretext. We found that 67 % of the participants were keen to sign-up with their Google or Facebook credentials, 18.5% to create a new account, and only 14.5% to skip on the sign-up. Convenience was the single most cited factor for the willingness to yield participants’ credentials. Reluctance of using new services was the reason for creating a new account or skipping the registration. We also developed a Quishing Awareness Scale (QAS) and found a significant relationship between participants’ QR code behavior and their sign-up choices: The ones choosing to sign-up with Facebook scored the lowest while the one choosing to skip the highest on average. We used our results to propose awareness training guidelines as well as develop and test usable security indicators for warning users about the threat of phishing with malicious QR codes.

Topics & Concepts

PhishingComputer scienceSign (mathematics)Computer securityPretextCode (set theory)Internet privacyUSableWorld Wide WebThe InternetMathematicsSet (abstract data type)Political scienceProgramming languageLawPoliticsMathematical analysisSpam and Phishing DetectionUser Authentication and Security SystemsPrivacy, Security, and Data Protection
Phishing with Malicious QR Codes | Litcius