QR/Qwishing: Camera-Based Social Engineering Simulation

PTEF-Aligned:Profile → Tailor → Simulate → Evaluate → Evolve

Threat Narrative

QR-based attacks exploit the fact that scanning a code on a phone often bypasses traditional web and email controls. Threat actors place malicious QR codes in physical environments (posters, meeting rooms, parking kiosks) or embed them in messages to drive victims to unsafe destinations—credential capture lookalikes, payment fraud pages, or deceptive support flows. Cyberorca simulates QR/qwishing under written authorization to measure user behavior, physical security readiness, and the organization's ability to detect, report, and remove suspicious QR placements quickly.

How Cyberorca Runs This Service

Governance applies across all phases.

1

Profile & Scope

Site Scoping & Approval Controls — Define approved sites/areas, placement locations, time windows, and "do-not-place" zones. Coordinate with security, facilities, and communications. Document a placement/removal plan.

2

Tailor Scenarios & Controls

Scenario Design (Realistic, Non-Harmful) — Create QR experiences aligned to real workflows using safe landing pages and clear post-interaction education.

3

Simulate (Controlled Execution)

Controlled Deployment (Physical + Digital) — Deploy QR codes only in approved locations and formats, with live monitoring and a kill switch. Maintain an inventory of placed codes for immediate removal.

4

Evaluate (Telemetry & Reporting)

Safe Telemetry & Reporting — Measure scans, page interactions, and reporting behavior using minimal data. No real credentials are collected or stored—ever. Prefer aggregate reporting by location/department.

5

Evolve (Remediation & Hardening)

Remediation & QR Hygiene Improvements — Deliver targeted coaching and practical controls: QR placement governance, signage standards, awareness cues, and recommended mobile protections where applicable.

Metrics & Outcomes

Scan Rate by Location/Scenario (where QR trust is highest)
Report Rate (who reports suspicious QR and via what channel)
Repeat Exposure Rate (users who repeat risky behavior across waves)
QR Hygiene Adoption (official signage standards, verification prompts, awareness cues)
Note: Outcomes vary based on baseline posture, physical access controls, and program maturity.

Governance & Ethics

  • Written Authorization & Site Security Approval: documented approval from security/facilities and defined time windows
  • No Public Harm: must not expose the public, disrupt operations, or mimic emergency messaging; do-not-place zones enforced
  • No Harmful Payloads: no malware, no exploits, no real credential collection; simulated and educational only
  • Data Minimization & Retention: minimal telemetry; aggregated by default; RBAC and audit trails; defined retention

Engagement Model

QR Baseline Assessment (2–4 weeks): placement + hotspot report + removal-readiness review Quarterly QR Resilience Program: quarterly simulations + trendline reporting + QR hygiene policy rollout Physical + Digital Program: integrated with smishing/email to measure cross-channel behavior and improve reporting and response speed