Physical QR code phishing campaigns allow you to test how your users will react to finding an unexpected QR code. For example, if your users see a QR code on a poster in a familiar location, they may scan it and open the link without verifying that the link is secure. QR codes can contain data such as a link to a website, location, or digital business card. Malicious links hidden in QR codes may be able to bypass your organization's security filters.

To train your users on QR code phishing attacks, you can create physical QR code phishing campaigns. These campaigns will allow you to download and print your own QR code posters to place in planned locations. Then, you can use your KSAT console to see if your users are scanning the QR codes.

To learn how to create a QR code phishing campaign and then view your campaign results, see the sections below.

Creating the Campaign

To create a physical QR code phishing campaign, follow the steps below:

1. Log in to your KSAT console.
2. Navigate to Physical Tests > Physical QR Code.
3. Click the Create New Physical QR Campaign button.
4. On the Create New Physical QR Campaign page, fill out the fields to customize your campaign. For information about these fields, see the screenshot and list below:

   a. Campaign Name: In this field, enter a name for your campaign.

   b. Notes: In this field, enter any notes about the campaign, such as a description.

   c. Template Selection: In this drop-down menu, select a poster template.

   d. Phish Link Domain: In this drop-down menu, select the domain to use in a simulated phishing link embedded in a QR code. Your users will be able to access the link if they scan the physical QR code.

   e. Landing Page: In this drop-down menu, select the page that opens when a user scans the physical QR code. If you don't select a landing page, then the default landing page set in your Account Settings will be used.

   Tip: When you select your landing page, you can select a data entry landing page to test whether your users will share sensitive information after scanning a QR code. For more information, see our How To Use Data Entry Landing Pages article.
   
5. Click the Create Campaign button.

Starting the Campaign

Once you have created a physical QR code phishing campaign, you’ll be taken to the campaign Overview page automatically. You can also access this page by navigating to Physical Tests > Physical QR Codes in your console and then selecting the campaign's name.

To start your physical QR code phishing campaign, follow the steps below:

1. Click the +Add Location button and enter the name of a location where you’ll place a poster. You can enter multiple locations for the campaign.
2. Click the download icon in the Download Poster column to download a location’s poster as a PDF file. You’ll need to download the poster for each location.
3. Click the Start Campaign button.
   Note: You must click this button before the console will track any scanned results.
4. Print your posters.
5. Place your posters in your specified locations.

Monitoring the Campaign

Once you start your campaign, you can monitor it from your console. To monitor your campaign, navigate to Physical Tests > Physical QR Code and select the campaign's name. The Overview subtab will display your locations, the number of times a QR code has been scanned, and the number of times data has been entered on a landing page.

For more information about the failures, select the Details subtab. From this subtab, you can view the date and time that QR codes were scanned or data was entered. You can also view additional details, such as the location of the scan and the device used for the scan.

From the Details subtab, you can also download a CSV file of your campaign results. To download this file, click the Download QR Scans CSV Report button.

Ending the Campaign

There is no specified duration for how long a physical QR code phishing campaign will run. When you're ready to stop tracking the QR code scans in this campaign, you can click the End Campaign button on the Overview subtab.

Once you’ve ended a campaign, QR codes associated with this campaign will no longer work.