Filipo Sharevski (DePaul University), Mattia Mossano, Maxime Fabian Veit, Gunther Schiefer, Melanie Volkamer (Karlsruhe Institute of Technology)

QR codes, designed for convenient access to links, have recently been appropriated as phishing attack vectors. As this type of phishing is relatively and many aspects of the threat in real conditions are unknown, we conducted a study in naturalistic settings (n=42) to explore how people behave around QR codes that might contain phishing links. We found that 28 (67%) of our participants opened the link embedded in the QR code without inspecting the URL for potential phishing cues. As a pretext, we used a poster that invited people to scan a QR code and contribute to a humanitarian aid. The choice of a pretext was persuasive enough that 22 (52%) of our participants indicated that it was the main reason why they scanned the QR code and accessed the embedded link in the first place. We used three link variants to test if people are able to spot a potential phishing threat associated with the poster’s QR code (every participant scanned only one variant). In the variants where the link appeared legitimate or it was obfuscated by a link shortening service, only two out of 26 participants (8%) abandoned the URL when they saw the preview in the QR code scanner app. In the variant when the link explicitly contained the word “phish” in the domain name, this ratio rose to 7 out of 16 participants (44%). We use our findings to propose usable security interventions in QR code scanner apps intended to warn users about potentially phishing links.

View More Papers

Pisces: Private and Compliable Cryptocurrency Exchange

Ya-Nan Li (The University of Sydney), Tian Qiu (The University of Sydney), Qiang Tang (The University of Sydney)

Read More

ShapFuzz: Efficient Fuzzing via Shapley-Guided Byte Selection

Kunpeng Zhang (Shenzhen International Graduate School, Tsinghua University), Xiaogang Zhu (Swinburne University of Technology), Xi Xiao (Shenzhen International Graduate School, Tsinghua University), Minhui Xue (CSIRO's Data61), Chao Zhang (Tsinghua University), Sheng Wen (Swinburne University of Technology)

Read More

You Can Use But Cannot Recognize: Preserving Visual Privacy...

Qiushi Li (Tsinghua University), Yan Zhang (Tsinghua University), Ju Ren (Tsinghua University), Qi Li (Tsinghua University), Yaoxue Zhang (Tsinghua University)

Read More

Security Awareness Training through Experiencing the Adversarial Mindset

Jens Christian Dalgaard, Niek A. Janssen, Oksana Kulyuk, Carsten Schurmann (IT University of Copenhagen)

Read More