research-article

Phishing with Malicious QR Codes

Authors:

Filipo Sharevski,

Peter JachimAuthors Info & Claims

EuroUSEC '22: Proceedings of the 2022 European Symposium on Usable Security

Pages 160 - 171

https://doi.org/10.1145/3549015.3554172

Published: 29 September 2022 Publication History

Abstract

The use of QR codes for malicious purposes was rather limited in the pre-COVID-19 world. That changed overnight, as the QR codes became a convenient go-between for sharing URLs, including malicious ones. This opens an attractive new way of phishing as QR codes are now widespread. To explore phishing with QR codes (i.e. quishing), we conducted a 173-participant study where we used a COVID-19 digital passport sign-up trial with a malicious QR code as a pretext. We found that 67 % of the participants were keen to sign-up with their Google or Facebook credentials, 18.5% to create a new account, and only 14.5% to skip on the sign-up. Convenience was the single most cited factor for the willingness to yield participants’ credentials. Reluctance of using new services was the reason for creating a new account or skipping the registration. We also developed a Quishing Awareness Scale (QAS) and found a significant relationship between participants’ QR code behavior and their sign-up choices: The ones choosing to sign-up with Facebook scored the lowest while the one choosing to skip the highest on average. We used our results to propose awareness training guidelines as well as develop and test usable security indicators for warning users about the threat of phishing with malicious QR codes.

References

[1]

Bhupendra Acharya and Phani Vadrevu. 2021. PhishPrint: Evading Phishing Detection Crawlers by Prior Profiling. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3775–3792. https://www.usenix.org/conference/usenixsecurity21/presentation/acharya

[2]

Zinaida Adelhardt, Stefan Markus, and Thomas Eberle. 2018. Teenagers’ Reaction on the Long-Lasting Separation from Smartphones, Anxiety and Fear of Missing Out. In Proceedings of the 9th International Conference on Social Media and Society (Copenhagen, Denmark) (SMSociety ’18). Association for Computing Machinery, New York, NY, USA, 212–216. https://doi.org/10.1145/3217804.3217914

Digital Library

[3]

Mohamed Alsharnouby, Furkan Alaca, and Sonia Chiasson. 2015. Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies 82 (2015), 69–82. https://doi.org/10.1016/j.ijhcs.2015.05.005

Digital Library

[4]

Ionut Andone, Konrad Błaszkiewicz, Mark Eibes, Boris Trendafilov, Christian Montag, and Alexander Markowetz. 2016. How Age and Gender Affect Smartphone Usage. In Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct (Heidelberg, Germany) (UbiComp ’16). Association for Computing Machinery, New York, NY, USA, 9–12. https://doi.org/10.1145/2968219.2971451

Digital Library

[5]

Apple. 2021. Safari & Privacy. https://www.apple.com/legal/privacy/data/en/safari/.

[6]

Luke Barr. 2022. FBI warns criminals are using fake QR codes to scam users. https://abcnews.go.com/Politics/fbi-warns-criminals-fake-qr-codes-scam-users/story?id=82371866.

[7]

Lujo Bauer, Cristian Bravo-Lillo, Elli Fragkaki, and William Melicher. 2013. A Comparison of Users’ Perceptions of and Willingness to Use Google, Facebook, and Google+ Single-Sign-on Functionality. In Proceedings of the 2013 ACM Workshop on Digital Identity Management (Berlin, Germany) (DIM ’13). Association for Computing Machinery, New York, NY, USA, 25–36. https://doi.org/10.1145/2517881.2517886

Digital Library

[8]

Mark Blythe, Helen Petrie, and John A. Clark. 2011. F for Fake: Four Studies on How We Fall for Phish. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Vancouver, BC, Canada) (CHI ’11). Association for Computing Machinery, New York, NY, USA, 3469–3478. https://doi.org/10.1145/1978942.1979459

Digital Library

[9]

Cristian Bravo-Lillo, Saranga Komanduri, Lorrie Faith Cranor, Robert W. Reeder, Manya Sleeper, Julie Downs, and Stuart Schechter. 2013. Your Attention Please: Designing Security-Decision UIs to Make Genuine Risks Harder to Ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security (Newcastle, United Kingdom) (SOUPS ’13). Association for Computing Machinery, New York, NY, USA, Article 6, 12 pages. https://doi.org/10.1145/2501604.2501610

Digital Library

[10]

Casey Canfield, Alex Davis, Baruch Fischhoff, Alain Forget, Sarah Pearman, and Jeremy Thomas. 2017. Replication: Challenges in Using Data Logs to Validate Phishing Detection Ability Metrics. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA, 271–284. https://www.usenix.org/conference/soups2017/technical-sessions/presentation/canfield

[11]

Casey Inez Canfield, Baruch Fischhoff, and Alex Davis. 2016. Quantifying Phishing Susceptibility for Detection and Behavior Decisions. Human Factors 58, 8 (2016), 1158–1172. https://doi.org/10.1177/0018720816665025 27562565.

[12]

Gamze Canova, Melanie Volkamer, Clemens Bergmann, and Roland Borza. 2014. NoPhish: An Anti-Phishing Education App. In Security and Trust Management, Sjouke Mauw and Christian Damsgaard Jensen (Eds.). Springer International Publishing, Cham, 188–192.

[13]

Fiona Carroll. 2021. Usable Security and Aesthetics: Designing for Engaging Online Security Warnings and Cautions to Optimise User Security Whilst Affording Ease of Use. Association for Computing Machinery, New York, NY, USA, 23–28. https://doi.org/10.1145/3481357.3481376

Digital Library

[14]

Centers for Disease Control (CDC). 2019. Resuming Business Toolkit. https://www.cdc.gov/coronavirus/2019-ncov/community/resuming-business-toolkit.html.

[15]

Centers for Disease Control (CDC). 2021. COVID-19-Related Phone Scams and Phishing Attacks. https://www.cdc.gov/media/phishing.html.

[16]

Centers for Disease Control (CDC). 2021. Getting Your CDC COVID-19 Vaccination Record Card. https://www.cdc.gov/coronavirus/2019-ncov/vaccines/vaccination-card.html.

[17]

Centers for Disease Control (CDC). 2021. Guidance for COVID-19. https://www.cdc.gov/coronavirus/2019-ncov/communication/guidance.html.

[18]

Centers for Disease Control (CDC). 2021. Toolkit for General Public. https://www.cdc.gov/coronavirus/2019-ncov/communication/toolkits/general-public.html.

[19]

Rachelle Chouinard. 2021. New Quishing Campaign Shows How Threat Actors Innovate to Bypass Security. https://abnormalsecurity.com/blog/qr-code-campaign-bypass-security.

[20]

Robert B Cialdini. 2007. Influence: the psychology of persuasion; Rev. ed.Collins, New York, NY. http://cds.cern.ch/record/2010777

[21]

Anna L. Cox, Sandy J.J. Gould, Marta E. Cecchinato, Ioanna Iacovides, and Ian Renfree. 2016. Design Frictions for Mindful Interactions: The Case for Microboundaries. In Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems(San Jose, California, USA) (CHI EA ’16). Association for Computing Machinery, New York, NY, USA, 1389–1397. https://doi.org/10.1145/2851581.2892410

Digital Library

[22]

Adrian Dabrowski, Katharina Krombholz, Johanna Ullrich, and Edgar R. Weippl. 2014. QR Inception: Barcode-in-Barcode Attacks. In Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (Scottsdale, Arizona, USA) (SPSM ’14). Association for Computing Machinery, New York, NY, USA, 3–10. https://doi.org/10.1145/2666620.2666624

Digital Library

[23]

Christopher Dye and Melinda C Mills. 2021. COVID-19 vaccination passports. Science 371, 6535 (2021), 1184–1184.

[24]

Serge Egelman, Marian Harbach, and Eyal Peer. 2016. Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS). In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (San Jose, California, USA) (CHI ’16). Association for Computing Machinery, New York, NY, USA, 5257–5261. https://doi.org/10.1145/2858036.2858265

Digital Library

[25]

Serge Egelman and Eyal Peer. 2015. Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS). In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (Seoul, Republic of Korea) (CHI ’15). Association for Computing Machinery, New York, NY, USA, 2873–2882. https://doi.org/10.1145/2702123.2702249

Digital Library

[26]

Serge Egelman and Stuart Schechter. 2013. The Importance of Being Earnest [In Security Warnings]. In Financial Cryptography and Data Security, Ahmad-Reza Sadeghi (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 52–59.

[27]

Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. 2016. Rethinking Connection Security Indicators. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 1–14. https://www.usenix.org/conference/soups2016/technical-sessions/presentation/porter-felt

[28]

Ana Ferreira, Lynne Coventry, and Gabriele Lenzini. 2015. Principles of Persuasion in Social Engineering and Their Use in Phishing. In Human Aspects of Information Security, Privacy, and Trust, Theo Tryfonas and Ioannis Askoxylakis (Eds.). Springer, 36–47.

[29]

Tanya Flushman, Mark Gondree, and Zachary N. J. Peterson. 2015. This is Not a Game: Early Observations on Using Alternate Reality Games for Teaching Security Concepts to First-Year Undergraduates. In 8th Workshop on Cyber Security Experimentation and Test (CSET 15). USENIX Association, Washington, D.C.https://www.usenix.org/conference/cset15/workshop-program/presentation/flushman

[30]

Riccardo Focardi, Flaminia L. Luccio, and Heider A.M. Wahsheh. 2019. Usable security for QR code. Journal of Information Security and Applications 48 (2019), 102369. https://doi.org/10.1016/j.jisa.2019.102369

[31]

Anjuli Franz, Verena Zimmermann, Gregor Albrecht, Katrin Hartwig, Christian Reuter, Alexander Benlian, and Joachim Vogt. 2021. SoK: Still Plenty of Phish in the Sea — A Taxonomy of User-Oriented Phishing Interventions and Avenues for Future Research. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, 339–358. https://www.usenix.org/conference/soups2021/presentation/franz

[32]

Gerd Gigerenzer and Peter M Todd. 1999. Fast and frugal heuristics: The adaptive toolbox. In Simple heuristics that make us smart. Oxford University Press, 3–34.

[33]

Shakthidhar Gopavaram, Jayati Dev, Marthie Grobler, DongInn Kim, Sanchari Das, and L Jean Camp. 2021. Cross-National Study on Phishing Resilience. In Proceedings of the Workshop on Usable Security and Privacy (USEC).

[34]

Frank L. Greitzer, Wanru Li, Kathryn B. Laskey, James Lee, and Justin Purl. 2021. Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility. Trans. Soc. Comput. 4, 2, Article 8 (jun 2021), 48 pages. https://doi.org/10.1145/3461672

Digital Library

[35]

Julia Gressick, Bruce Alan Spitzer, and Kyle Sagarsee. 2014. Designing interactive scavenger hunt using QR codes. Journal of Teaching and Learning with Technology (2014), 90–93.

[36]

Cormac Herley. 2009. So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In Proceedings of the 2009 Workshop on New Security Paradigms Workshop (Oxford, United Kingdom) (NSPW ’09). Association for Computing Machinery, New York, NY, USA, 133–144. https://doi.org/10.1145/1719030.1719050

Digital Library

[37]

Tai-Wei Kan, Chin-Hung Teng, and Mike Y Chen. 2011. QR code based augmented reality applications. In Handbook of augmented reality. Springer, 339–354.

[38]

Amin Kharraz, Engin Kirda, William Robertson, Davide Balzarotti, and Aurélien Francillon. 2014. Optical Delusions: A Study of Malicious QR Codes in the Wild. In 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 192–203. https://doi.org/10.1109/DSN.2014.103

Digital Library

[39]

Peter Kieseberg, Sebastian Schrittwieser, Manuel Leithner, Martin Mulazzani, Edgar Weippl, Lindsay Munroe, and Mayank Sinha. 2012. Malicious Pixels Using QR Codes as Attack Vector. Atlantis Press, Paris, 21–38. https://doi.org/10.2991/978-94-91216-71-8_2

[40]

Katharina Krombholz, Peter Frühwirt, Peter Kieseberg, Ioannis Kapsalis, Markus Huber, and Edgar Weippl. 2014. QR code security: A survey of attacks and challenges for usable security. In International Conference on Human Aspects of Information Security, Privacy, and Trust. Springer, 79–90.

Digital Library

[41]

Katharina Krombholz, Peter Frühwirt, Thomas Rieder, Ioannis Kapsalis, Johanna Ullrich, and Edgar Weippl. 2015. QR Code Security – How Secure and Usable Apps Can Protect Users Against Malicious QR Codes. (2015), 230–237. https://doi.org/10.1109/ARES.2015.84

Digital Library

[42]

Gabe Lacques. 2022. What was that? Coinbase’s QR code Super Bowl commercial confuses viewers. (2022). https://www.usatoday.com/story/sports/Ad-Meter/2022/02/13/coinbase-qr-code-super-bowl-ad-crypto-commercial-confuses-viewers/6778949001/.

[43]

Yijie Li, Yi-Chao Chen, Xiaoyu Ji, Hao Pan, Lanqing Yang, Guangtao Xue, and Jiadi Yu. 2020. Toward a Secure QR Code System by Fingerprinting Screens. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3372224.3418165

Digital Library

[44]

Tian Lin, Daniel E. Capecci, Donovan M. Ellis, Harold A. Rocha, Sandeep Dommaraju, Daniela S. Oliveira, and Natalie C. Ebner. 2019. Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content. ACM Trans. Comput.-Hum. Interact. 26, 5, Article 32 (July 2019), 28 pages. https://doi.org/10.1145/3336141

Digital Library

[45]

Zane Ma, Joshua Reynolds, Joseph Dickinson, Kaishen Wang, Taylor Judd, Joseph D. Barnes, Joshua Mason, and Michael Bailey. 2019. The Impact of Secure Transport Protocols on Phishing Efficacy. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/cset19/presentation/ma

[46]

Hugo Martin. 2021. COVID vaccine ‘passports’ in the U.S.: Here’s what we’re getting and why. https://www.latimes.com/business/story/2021-06-14/covid-vaccine-passport-united-states.

[47]

Vasileios Mavroeidis and Mathew Nicho. 2017. Quick Response Code Secure: A Cryptographically Secure Anti-Phishing Tool for QR Code Attacks. In Computer Network Security, Jacek Rak, John Bay, Igor Kotenko, Leonard Popyack, Victor Skormin, and Krzysztof Szczypiorski (Eds.). Springer International Publishing, Cham, 313–324.

[48]

René Mayrhofer and Stephan Sigg. 2021. Adversary Models for Mobile Device Authentication. ACM Comput. Surv. 54, 9, Article 198 (oct 2021), 35 pages. https://doi.org/10.1145/3477601

Digital Library

[49]

John R. Morelock and Zachary Peterson. 2018. Authenticity, Ethicality, and Motivation: A Formal Evaluation of a 10-week Computer Security Alternate Reality Game for CS Undergraduates. In 2018 USENIX Workshop on Advances in Security Education (ASE 18). USENIX Association, Baltimore, MD. https://www.usenix.org/conference/ase18/presentation/morelock

[50]

María M. Moreno-Fernandez, Fernando Blanco, Pablo Garaizar, and Helena Matute. 2017. Fishing for phishers. Improving Internet users’ sensitivity to visual deception cues to prevent electronic fraud. Computers in Human Behavior 69 (2017), 421–436. https://doi.org/10.1016/j.chb.2016.12.044

Digital Library

[51]

Sean Murphy. 2021. Laravel QR Code Generator Infected with Malware. https://www.kernelmode.blog/laravel-qr-code-generator-infected-with-malware/.

[52]

James Nicholson, Lynne Coventry, and Pam Briggs. 2017. Can we fight social engineering attacks by social means? Assessing social salience as a means to improve phish detection. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA, 285–298. https://www.usenix.org/conference/soups2017/technical-sessions/presentation/nicholson

[53]

James Nicholson, Yousra Javed, Matt Dixon, Lynne Coventry, Opeyemi Dele Ajayi, and Philip Anderson. 2020. Investigating teenagers’ ability to detect phishing messages. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 140–149.

[54]

Federal Bureau of Investigation. 2022. Cybercriminals Tampering with QR Codes to Steal Victim Funds. (Jan 2022). https://www.ic3.gov/Media/Y2022/PSA220118.

[55]

Kathryn Parsons, Marcus Butavicius, Paul Delfabbro, and Meredith Lillie. 2019. Predicting susceptibility to social influence in phishing emails. International Journal of Human-Computer Studies 128 (2019), 17–26.

Digital Library

[56]

Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don’t) use password managers effectively. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA, 319–338. https://www.usenix.org/conference/soups2019/presentation/pearman

[57]

Justin Petelka, Yixin Zou, and Florian Schaub. 2019. Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings(CHI ’19). Association for Computing Machinery, New York, NY, USA, 1–15. https://doi.org/10.1145/3290605.3300748

Digital Library

[58]

Ross Phillips and Heidi Wilder. 2020. Tracing Cryptocurrency Scams: Clustering Replicated Advance-Fee and Phishing Websites. In 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC). 1–8. https://doi.org/10.1109/ICBC48266.2020.9169433

[59]

Samuel Pullan and Mrinalini Dey. 2021. Vaccine hesitancy and anti-vaccination in the time of COVID-19: A Google Trends analysis. Vaccine 39, 14 (2021), 1877–1881.

[60]

Florian Quinkert, Martin Degeling, Jim Blythe, and Thorsten Holz. 2020. Be the Phisher – Understanding Users’ Perception of Malicious Domains. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (Taipei, Taiwan) (ASIA CCS ’20). Association for Computing Machinery, New York, NY, USA, 263–276. https://doi.org/10.1145/3320269.3384765

Digital Library

[61]

Elissa M. Redmiles. 2019. “Should I worry?” A Cross-Cultural Examination of Account Security Incident Response. In 2019 IEEE Symposium on Security and Privacy (SP). 920–934. https://doi.org/10.1109/SP.2019.00059

[62]

Elissa M. Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L. Mazurek. 2020. A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 89–108. https://www.usenix.org/conference/usenixsecurity20/presentation/redmiles

[63]

Robert W. Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman. 2018. An Experience Sampling Study of User Reactions to Browser Warnings in the Field. Association for Computing Machinery, New York, NY, USA, 1–13. https://doi.org/10.1145/3173574.3174086

Digital Library

[64]

Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Mattia Mossano, Reyhan Duezguen, Bettina Lofthouse, Tatiana von Landesberger, and Melanie Volkamer. 2020. An investigation of phishing awareness and education over time: When and how to best remind users. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, 259–284. https://www.usenix.org/conference/soups2020/presentation/reinheimer

[65]

Filipo Sharevski and Peter Jachim. 2021. Alexa in Phishingland: Empirical Assessment of Susceptibility to Phishing Pretexting in Voice Assistant Environments. In 2021 IEEE Security and Privacy Workshops (SPW). 207–213. https://doi.org/10.1109/SPW53761.2021.00034

[66]

Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, USA) (SOUPS ’07). Association for Computing Machinery, New York, NY, USA, 88–99. https://doi.org/10.1145/1280680.1280692

Digital Library

[67]

Hossein Siadati, Sean Palka, Avi Siegel, and Damon McCoy. 2017. Measuring the Effectiveness of Embedded Phishing Exercises. In 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17). USENIX Association, Vancouver, BC. https://www.usenix.org/conference/cset17/workshop-program/presentation/siadatii

[68]

Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: An empirical study of ssl warning effectiveness. In 18th USENIX Security Symposium (USENIX Security 09). USENIX Association, 399–342. https://www.usenix.org/event/sec09/tech/full_papers/sec09_browser.pdf

[69]

Christopher Thompson, Martin Shelton, Emily Stark, Maximilian Walker, Emily Schechter, and Adrienne Porter Felt. 2019. The Web’s Identity Crisis: Understanding the Effectiveness of Website Identity Indicators. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1715–1732. https://www.usenix.org/conference/usenixsecurity19/presentation/thompson

[70]

Anthony Vance, David Eargle, Jeffrey L. Jenkins, C. Brock Kirwan, and Bonnie Brinton Anderson. 2019. The Fog of Warnings: How Non-essential Notifications Blur with Security Warnings. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/soups2019/presentation/vance

[71]

Timothy Vidas, Emmanuel Owusu, Shuai Wang, Cheng Zeng, Lorrie Faith Cranor, and Nicolas Christin. 2013. QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks. In Financial Cryptography and Data Security, Andrew A. Adams, Michael Brenner, and Matthew Smith (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 52–69.

[72]

Rick Wash. 2020. How Experts Detect Phishing Scam Emails. Proc. ACM Hum.-Comput. Interact. 4, CSCW2, Article 160 (oct 2020), 28 pages. https://doi.org/10.1145/3415231

Digital Library

[73]

Rick Wash and Molly M. Cooper. 2018. Who Provides Phishing Training? Facts, Stories, and People Like Me. Association for Computing Machinery, New York, NY, USA, 1–12. https://doi.org/10.1145/3173574.3174066

Digital Library

[74]

Michael S Wogalter, Vincent C Conzola, and Tonya L Smith-Jackson. 2002. based guidelines for warning design and evaluation. Applied ergonomics 33, 3 (2002), 219–230.

[75]

Michael Workman. 2008. Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology 59, 4 (2008), 662–674.

Digital Library

[76]

Mingliang Xu, Qingfeng Li, Jianwei Niu, Hao Su, Xiting Liu, Weiwei Xu, Pei Lv, Bing Zhou, and Yi Yang. 2021. ART-UP: A Novel Method for Generating Scanning-Robust Aesthetic QR Codes. ACM Trans. Multimedia Comput. Commun. Appl. 17, 1, Article 25 (apr 2021), 23 pages. https://doi.org/10.1145/3418214

Digital Library

[77]

Weining Yang, Aiping Xiong, Jing Chen, Robert W. Proctor, and Ninghui Li. 2017. Use of Phishing Training to Improve Security Warning Compliance: Evidence from a Field Experiment. In Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp (Hanover, MD, USA) (HoTSoS). Association for Computing Machinery, New York, NY, USA, 52–61. https://doi.org/10.1145/3055305.3055310

Digital Library

[78]

Anfu Zhou, Guangyuan Su, Shilin Zhu, and HuaDong Ma. 2019. Invisible QR Code Hijacking Using Smart LED. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 3, 3, Article 126 (Sept. 2019), 23 pages. https://doi.org/10.1145/3351284

Digital Library

Cited By

Alqahtani SNanda PMohanty M(2025)Strengthening Cybersecurity: The Influence of Student Behavior, Perceived Factors, and Mitigating Strategies on Phishing Attack PerceptionWeb Information Systems Engineering – WISE 2024 PhD Symposium, Demos and Workshops10.1007/978-981-96-1483-7_27(313-329)Online publication date: 28-Feb-2025
https://doi.org/10.1007/978-981-96-1483-7_27
Edwards LZahid Iqbal MHassan M(2024)A multi-layered security model to counter social engineering attacks: a learning-based approachEin mehrschichtiges Sicherheitsmodell gegen Social-Engineering-Angriffe – ein lernbasierter AnsatzInternational Cybersecurity Law Review10.1365/s43439-024-00119-z5:2(313-336)Online publication date: 18-Apr-2024
https://doi.org/10.1365/s43439-024-00119-z
BLANCAFLOR ECALIDA MCHAN MYSICO NBON SUP AN K(2024)Impact Analysis and Attack Simulation on Quishing (a QC Code Phishing) using QRLJacker2024 International Conference on Electrical, Computer and Energy Technologies (ICECET10.1109/ICECET61485.2024.10698628(1-5)Online publication date: 25-Jul-2024
https://doi.org/10.1109/ICECET61485.2024.10698628
Show More Cited By

Index Terms

Phishing with Malicious QR Codes
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy
    2. Usability in security and privacy

Recommendations

Phishing email strategies: Understanding cybercriminals' strategies of crafting phishing emails
Abstract
It is a known fact that cybercriminals often manipulate people to steal sensitive information. However, there has been a lack of research in investigating cybercriminals' strategies and the evolution of strategies when crafting phishing emails ...
3D printed perforated QR codes
Highlights
- A problem for carving a QR code on a surface such that the 3D printed QR code with homogeneous material is decodable.
Graphical abstract

Display Omitted

Abstract
QR codes are machine-readable optical 2D matrix barcodes which can be easily displayed physically on printed media or digitally on a screen. In recent years, artists and researchers have paid much attention to beautify and enhance QR ...
The design of phishing studies

In this paper, a role play scenario experiment of people's ability to differentiate between phishing and genuine emails demonstrated limitations in the generalisability of phishing studies. This involves issues around the priming of participants and the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

EuroUSEC '22: Proceedings of the 2022 European Symposium on Usable Security

September 2022

232 pages

ISBN:9781450397001

DOI:10.1145/3549015

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 September 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

EuroUSEC 2022

EuroUSEC 2022: 2022 European Symposium on Usable Security

September 29 - 30, 2022

Karlsruhe, Germany

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
525
Total Downloads

Downloads (Last 12 months)244
Downloads (Last 6 weeks)36

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Alqahtani SNanda PMohanty M(2025)Strengthening Cybersecurity: The Influence of Student Behavior, Perceived Factors, and Mitigating Strategies on Phishing Attack PerceptionWeb Information Systems Engineering – WISE 2024 PhD Symposium, Demos and Workshops10.1007/978-981-96-1483-7_27(313-329)Online publication date: 28-Feb-2025
https://doi.org/10.1007/978-981-96-1483-7_27
Edwards LZahid Iqbal MHassan M(2024)A multi-layered security model to counter social engineering attacks: a learning-based approachEin mehrschichtiges Sicherheitsmodell gegen Social-Engineering-Angriffe – ein lernbasierter AnsatzInternational Cybersecurity Law Review10.1365/s43439-024-00119-z5:2(313-336)Online publication date: 18-Apr-2024
https://doi.org/10.1365/s43439-024-00119-z
BLANCAFLOR ECALIDA MCHAN MYSICO NBON SUP AN K(2024)Impact Analysis and Attack Simulation on Quishing (a QC Code Phishing) using QRLJacker2024 International Conference on Electrical, Computer and Energy Technologies (ICECET10.1109/ICECET61485.2024.10698628(1-5)Online publication date: 25-Jul-2024
https://doi.org/10.1109/ICECET61485.2024.10698628
Gyimah FOfori-Mensah EBoowuo HAggrawal S(2024)Empowering Shared Mobility Vehicle Riders, Stopping Scams: A Cyber Kill Chain and Awareness Approach to QRishing on College Campuses2024 Cyber Awareness and Research Symposium (CARS)10.1109/CARS61786.2024.10778789(1-7)Online publication date: 28-Oct-2024
https://doi.org/10.1109/CARS61786.2024.10778789
Still JMorris TEdwards M(2024)Investigating University QR Code InteractionsHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-61382-1_13(204-214)Online publication date: 29-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-61382-1_13
Rys MŚlusarek AZieliński K(2024)Caught Off GuardSecurity and Privacy10.1002/spy2.4868:1Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1002/spy2.486
Bicakci KDrobi A(2023)QRAuth: A Secure and Accessible Web Authentication Alternative to FIDO22023 16th International Conference on Information Security and Cryptology (ISCTürkiye)10.1109/ISCTrkiye61151.2023.10336164(1-7)Online publication date: 18-Oct-2023
https://doi.org/10.1109/ISCTrkiye61151.2023.10336164
Hoheisel Rvan Capelleveen GSarmah DJunger M(2023)The development of phishing during the COVID-19 pandemicComputers and Security10.1016/j.cose.2023.103158128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103158

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten