Filipo Sharevski (DePaul University), Mattia Mossano, Maxime Fabian Veit, Gunther Schiefer, Melanie Volkamer (Karlsruhe Institute of Technology)

QR codes, designed for convenient access to links, have recently been appropriated as phishing attack vectors. As this type of phishing is relatively and many aspects of the threat in real conditions are unknown, we conducted a study in naturalistic settings (n=42) to explore how people behave around QR codes that might contain phishing links. We found that 28 (67%) of our participants opened the link embedded in the QR code without inspecting the URL for potential phishing cues. As a pretext, we used a poster that invited people to scan a QR code and contribute to a humanitarian aid. The choice of a pretext was persuasive enough that 22 (52%) of our participants indicated that it was the main reason why they scanned the QR code and accessed the embedded link in the first place. We used three link variants to test if people are able to spot a potential phishing threat associated with the poster’s QR code (every participant scanned only one variant). In the variants where the link appeared legitimate or it was obfuscated by a link shortening service, only two out of 26 participants (8%) abandoned the URL when they saw the preview in the QR code scanner app. In the variant when the link explicitly contained the word “phish” in the domain name, this ratio rose to 7 out of 16 participants (44%). We use our findings to propose usable security interventions in QR code scanner apps intended to warn users about potentially phishing links.

View More Papers

Securing the Satellite Software Stack

Samuel Jero (MIT Lincoln Laboratory), Juliana Furgala (MIT Lincoln Laboratory), Max A Heller (MIT Lincoln Laboratory), Benjamin Nahill (MIT Lincoln Laboratory), Samuel Mergendahl (MIT Lincoln Laboratory), Richard Skowyra (MIT Lincoln Laboratory)

Read More

Unus pro omnibus: Multi-Client Searchable Encryption via Access Control

Jiafan Wang (Data61, CSIRO), Sherman S. M. Chow (The Chinese University of Hong Kong)

Read More

Group-based Robustness: A General Framework for Customized Robustness in...

Weiran Lin (Carnegie Mellon University), Keane Lucas (Carnegie Mellon University), Neo Eyal (Tel Aviv University), Lujo Bauer (Carnegie Mellon University), Michael K. Reiter (Duke University), Mahmood Sharif (Tel Aviv University)

Read More

CAGE: Complementing Arm CCA with GPU Extensions

Chenxu Wang (Southern University of Science and Technology (SUSTech) and The Hong Kong Polytechnic University), Fengwei Zhang (Southern University of Science and Technology (SUSTech)), Yunjie Deng (Southern University of Science and Technology (SUSTech)), Kevin Leach (Vanderbilt University), Jiannong Cao (The Hong Kong Polytechnic University), Zhenyu Ning (Hunan University), Shoumeng Yan (Ant Group), Zhengyu He (Ant…

Read More