This blog is the first in a series about our report we developed with Osterman Research, Enterprise Insights - Image-Based and QR Code Phishing Attacks (you can read the report here).

In 2023, the cybersecurity community (myself included) found ourselves at a familiar crossroads, facing an evolving threat landscape that seemed to echo past patterns while charting new territories of risk. QR Code attacks, or "Quishing," alongside the rise of sophisticated image-based phishing tactics, became central themes in our dialogues and strategies. It was a curious development—one that seemed propelled as much by our collective focus within the industry as by the genuine emergence of these threats in the wild.

This observation caused me to wonder…were we, the cybersecurity vendors and experts, amplifying the signal before its true impact was felt by those we aim to protect? It felt like a classic case of which came first, the chicken or the egg, that I just had to dig into.

A Personal Quest for Clarity

After two decades in the cybersecurity field, I've seen my share of threats evolve from crude attempts to the highly sophisticated strategies we face today. But the emergence of Quishing and the increase in image-based attacks struck a different chord. Particularly alarming was an attack I came across (detailed here Vendor Spoof Attack Exposes Business Email Credentials), where the bad guys didn't just impersonate a trusted entity, they crafted their phishing emails as images, perfectly mimicking secure document notifications. And these weren't random attempts…they were calculated, targeting industries ingrained in the daily use of such communications.

The precision and the (clever) exploitation of familiar workflows (think DocuSign, Microsoft, Adobe, and Google Docs) to trick and defraud recipients underscored a terrifying efficiency. I get it...any of us, engrossed in our daily tasks and bombarded with a continuous feed of genuine notifications, could easily fall prey to these deceptions.

It wasn't just about the novelty of these methods but their predatory use of routine and trust. I wanted to understand the extent of these threats beyond the anecdotal “threat of the month.” Outside of our own data, I wanted to find out how pervasive they are, and if the security stacks deployed were actually doing their job.

Embarking on the Osterman Research

Partnering with Osterman Research, I set out to uncover the reality behind these emerging threats. What we discovered was a security-confidence dichotomy that was startling, even to someone as seasoned (ahem…jaded) as myself. The data revealed not just a gap but a chasm between the perceived effectiveness of organizations’ defenses and the reality of their performance against Quishing and image-based attacks (over 70% believed their email security was effective, but only 5.5% blocked all attacks in the past year). This revelation was a humbling moment, a reminder that even in the midst of our advanced artificial intelligence and machine learning technologies and strategies, we might be overlooking the fundamental unpredictability of human behavior and the innovative persistence of threat actors.

There’s more. The research revealed a troubling trend: despite advanced email security technologies, a significant portion of these attacks (75.8% of organizations faced compromises from image-based and QR code phishing in the past year) are regularly breaching defenses. It’s a clear sign that as an industry, we might need to rethink our approach to cybersecurity training and awareness. The fact that these sophisticated attacks are so common, yet security leaders’ confidence in detection and prevention remained high, points to a disconnect that deserves some deep thinking and a strategic shift.

Looking Ahead

As I share these insights and reflections, my goal is not only to outline the vulnerabilities and challenges we face but also to spark a dialogue about resilience, adaptation, and the ongoing evolution of our cybersecurity landscape. This research journey has been both enlightening and sobering, reinforcing the idea that in the fight against cyber threats, our most valuable assets are not just the technologies we employ but also the knowledge we share and the collective vigilance we cultivate.

In the upcoming posts of this series, we'll dive into the strategic implications of these findings, examining how organizations can strengthen their defenses against these nuanced threats and what the future holds for email security in our ever-changing digital environment.

In the meantime, please take a look at the report, I hope you'll find it interesting!