Using QR Code PSTs
On a phishing campaign, you have the option to test your users with simulated phishing attacks that use QR (quick response) codes as an attack vector. QR codes are scannable barcodes that contain data in a compact format. QR codes can contain data such as a link to a website, a location on a map, or a digital business card. Cybercriminals can include QR codes in phishing emails and then manipulate your users into scanning them. Scanning the barcode can lead your users to a malicious website in the same way that clicking a phishing link can. A malicious link hidden in a QR code can bypass security software that filters out standard URLs.
A phishing security test (PST) that uses a QR code as a phishing attack vector will help you to prepare your users for real QR code phishing attacks. For example, if an inexperienced user is presented with a QR code disguised as an updated menu link from a nearby restaurant, the user may be more likely to trust a link coming from a QR code when they have previously used that method to access restaurant menus. Training your users with this attack vector can help them learn to stay alert when presented with potentially malicious QR codes.
See the sections below to learn how to create a QR code phishing campaign and view campaign results.
Creating a QR Code Phishing Campaign
You can create a QR code phishing campaign from the Phishing tab of your KMSAT console. When you create the campaign, you will then select our QR Code template category. Once the test runs, scans and data entered by your users when interacting with these templates will be tracked.
To create a QR code phishing campaign, follow the steps below:
- From your KMSAT console, navigate to the Phishing tab.
- Click the Create Phishing Campaign button.
- In the Template Categories drop-down menu, select QR Code.
- From the second drop-down menu, select a template or choose an automated template option. For more information about the automated template options, see our Automated Template Selections article.
- Fill out the rest of the fields on the page. For more information about the available fields, see the Create a Phishing Campaign section of our Creating and Managing Phishing Campaigns article.
Tip: When you select your landing page, you can select a data entry landing page to test whether your users will enter information. See our How To Use Data Entry Landing Pages article for more information.
- Click the Create Campaign button.
Example QR Code PST
When your users receive a QR code PST email, the QR code is displayed in the body of the email. Below is an example of a QR code PST.
The QR code functions as a unique link for each user. If a user scans the QR code with their phone, they will be redirected to the landing page from their phone. This action will be recorded as a failure.
Below is an example of a landing page.
Viewing QR Code PST Results
You can view the results of your QR code PSTs from the Campaigns subtab and the User Details page. For more information, see the subsections below.
Viewing Phishing Campaign Results
To view the results of an individual phishing campaign, navigate to Phishing > Campaigns in your KMSAT console.
From the Campaigns subtab, select the Users subtab. This subtab will provide information about your users’ QR code PST results, such as which users scanned the QR code and which users entered data into a landing page.
From the Users subtab, you can click the Download CSV button to download the full list of results as a CSV file.
To learn more about viewing PST results, see our How to Monitor and Review Phishing Campaigns article.
Viewing Results from User Details
You can view whether a specific user failed your QR code PST from their user profile. You can view whether a specific user failed your QR code PST from the Phishing tab of their user profile. From the Users subtab, you can select an individual user and view all of their results from the User Details > Phishing subtab.