When you create a phishing campaign, you have the option to test your users with QR codes instead of phishing links or attachments. QR codes, or quick response codes, are scannable barcodes that contain data in a compact format. QR codes can contain data such as a link to a website, a location on a map, or a digital business card. If your users scan a malicious barcode, they could be prompted to visit a dangerous website. Additionally, malicious links hidden in QR codes may be able to bypass your organization's security filters.

QR code PSTs can help prepare your users for real QR code phishing attacks. For example, your users may be used to using a QR code to view the online menu at their favorite restaurant. Unfortunately, not all QR codes are safe to scan. Using QR code phishing, you can train your users how to spot fake QR codes.

Creating a QR Code Phishing Campaign

You can create a QR code phishing campaign from the Phishing tab of your KSAT console. When you create the campaign, you will need to select our QR Code template category. If your users scan these QR codes or enter data after scanning these QR codes, the results will be tracked in your KSAT console.

To create a QR code phishing campaign, follow the steps below:

1. From your KSAT console, navigate to the Phishing tab.
2. Click the Create Phishing Campaign button.
3. In the Template Categories drop-down menu, select QR Code.
4. From the second Template Categories drop-down menu, select a template or choose an automated template option. For more information about the automated template options, see our Automated Template Selections article.
5. Fill out the rest of the fields on the page. For more information about the available fields, see the Create a Phishing Campaign section of our Creating and Managing Phishing Campaigns article.
   Tip: When you select your landing page, you can select a data entry landing page to test whether your users will share sensitive information after scanning a QR code. For more information, see our How To Use Data Entry Landing Pages article.
6. Click the Create Campaign button.

Example QR Code PST

When your users receive a QR code PST email, the QR code will display in the body of the email. For an example of a QR code PST, see the image below:

The QR code will be a unique link for each user. If a user scans the QR code with their mobile device, they will be redirected to the landing page. Scanning the QR code will be recorded as a failure.

Viewing QR Code PST Results

You can view the results of your QR code PSTs from the Campaigns subtab or from a specific user's User Details page in your KSAT console. For more information about viewing QR code PST results, see the subsections below.

Viewing QR Code PST Results from the Campaigns Subtab

To view the results of a QR code PST from the Campaigns subtab, follow the steps below:

1. In your KSAT console, navigate to Phishing > Campaigns.
2. Click on the name of the phishing campaign that you want to view the results for.

3. Click the Phishing Security Tests subtab.

   Important:If you sent the QR code PST as a one-time phishing campaign, skip this step and step 4 below.
4. Click on the name of the QR code PST.
5. From the PST’s overview page, click the Users subtab.

The Users subtab will provide information about your users’ QR code PST results, such as which users scanned the QR code and which users entered data into a landing page.From the Users subtab, you have the option to download the full list of PST results as a CSV file. To do so, click the Download CSV button. An example of this CSV file is shown below:

To learn more about viewing PST results, see our How to Monitor and Review Phishing Campaigns article.

Viewing QR Code PST Results from the User Details Page

You can also view whether a specific user failed your QR code PST from a user's User Details page. To view a specific user’s PST failures, follow the steps below:

1. In your KSAT console, navigate to the Users tab.
2. From the user list, click on the name of the user whose results you would like to view. When you click on the user’s name, the user’s User Details page will open.
3. From the User Details page, select the Phishing subtab.

From the table on the Phishing subtab, you can view the QR Code Scanned column to see if the user has failed a QR code PST. If the user failed a QR code PST, a check mark will display in the column.