Keepnet Labs Logo
Menu
HOME > blog > how to launch a qr code phishing simulation using keepnet quishing simulator

How to launch a QR code phishing simulation using Keepnet Quishing Simulator

QR code phishing is on the rise. Learn how to set up a custom quishing simulation using Quishing Simulator, identify vulnerable users, and improve security awareness with targeted training.

How to launch a QR code phishing simulation using Keepnet Quishing Simulator

QR code phishing attacks have become a rapidly growing threat in recent years. Attackers now leverage these codes to trick users into scanning and engaging with malicious sites, credential harvesting, or downloading malware. As a CISO or security leader, it's critical to train users and test their awareness of this attack vector. While Keepnet Phishing Simulator doesn't offer a built-in feature for QR code phishing, you can still set up a custom simulation using a few workarounds.

Here's a guide on how to run a QR code phishing simulation in your organization.

Why simulate QR code phishing?

Before we dive into the setup, let’s review why this type of simulation is important. Quishing (QR phishing) has seen a rapid increase because it exploits users' trust in QR codes, which became widespread during the pandemic for contactless services like menus, payments, and even vaccination verifications. However, attackers have capitalized on this familiarity to create malicious codes that direct users to phishing websites, as explained in our blog on understanding quishing.

Step-by-Step Guide to Setting Up a QR Code Phishing Simulation

Launching a QR code phishing simulation (quishing) is a game-changer for identifying security gaps in your organization. With Keepnet, you’re not just running a generic test—you’re gaining valuable insights into how well your team can spot and resist these tricky attacks. Whether you need a quick launch or a fully customized campaign, Keepnet has you covered.

Let’s dive into the steps to set up a quishing campaign that fits your exact needs.

Step 1

Log into Keepnet’s Quishing Simulator and click on the + New button to create a new campaign.

You’ll then be asked to choose the campaign type:

  • Email Campaign: Send phishing emails with embedded QR codes.
  • Individual Printout Campaign: Print QR codes on physical documents to distribute to employees.

Once you've selected the type, give the campaign a unique Campaign Name and decide the Tracking Duration—how long you want to track users’ engagement with the phishing attempts.

image5_copy.webp
Picture 1: The Campaign Settings dashboard allows you to input the Campaign Name, set the Tracking Duration, and mark the campaign as a test if needed.

Step 2

Next, select the quishing scenarios you want to use.

You can pick a single QR code phishing template or multiple, which will be distributed randomly among target users. Keepnet allows you to filter the scenarios by:

  • Method (e.g., email, printout)
  • Language (Keepnet supports over 120 languages, ensuring global coverage)
  • Difficulty Level (easy to advanced)

This flexibility ensures the scenarios match your organization’s needs, complexity, and geographical diversity.

The Quishing Scenarios dashboard allows you to choose one or more scenarios, filtering by type, language, and difficulty, with preview options.png
Picture 2: The Quishing Scenarios dashboard allows you to choose one or more scenarios, filtering by type, language, and difficulty, with preview options.

Step 3

Now, choose who will receive the phishing campaign.

  • You can select specific target groups (like departments or locations).
  • Or, randomly select users within the group.

There’s also an option to limit the campaign to users with an active phishing reporter add-in, which makes the simulation more focused and tailored to your security tools.

The Target Audience dashboard shows available user groups, allowing you to select target groups and view their engagement details. .webp
Picture 3: The Target Audience dashboard shows available user groups, allowing you to select target groups and view their engagement details.

Step 4

Finally, configure how and when the emails will be sent:

  • Choose between SMTP or DEC for email delivery.
  • Set a schedule for when the campaign will be launched or send it immediately.
  • For larger campaigns, set a sending limit per batch to avoid overwhelming email systems and ensure emails aren’t flagged as spam. You can also set a delay between batches to space out email deliveries.
The Delivery Settings dashboard lets you set the email schedule, frequency, and batch distribution to avoid sending all emails at once..png
Picture 4: The Delivery Settings dashboard lets you set the email schedule, frequency, and batch distribution to avoid sending all emails at once.

Review everything in the Campaign Summary—this gives you a final preview of the settings, including the email and landing page templates. Once satisfied, click Start to launch your QR code phishing simulation.

The Campaign Summary dashboard gives a final review of your settings, including email previews and sending limits, before you click Launch png.png
Picture 5: The Campaign Summary dashboard gives a final review of your settings, including email previews and sending limits, before you click Launch.

By following these steps, you’ll have a well-structured quishing campaign that helps you identify how prepared your team is against QR code phishing threats. Leverage Keepnet to refine your employees' awareness and improve resilience by up to 90%.

For a more detailed guide, watch the Keepnet video tutorial that explains how to set up a quishing campaign for your organization.

Why You Should Care About QR Code Phishing

Running QR code phishing simulations isn't just about catching people off guard; it’s about raising awareness of emerging threats. Many employees feel safe scanning QR codes, especially in trusted environments. This makes them a perfect target for attacks, as described in our detailed analysis of QR code phishing trends.

Remember, a single slip-up can compromise sensitive data or user credentials. By proactively testing your users, you gain valuable insights into who needs additional training and how your team responds to unconventional phishing techniques.

If you want to stay ahead of the curve, Keepnet Phishing Simulator is an excellent tool for running custom phishing attacks, as detailed in our phishing risk score analysis.

Keepnet Quishing Simulator: Enhancing Security Awareness Training

The rise of quishing means that security teams need to be creative in how they test and train their employees. By setting up a QR code phishing simulation using Keepnet QR code Phishing Simulator, you can gauge your organization's awareness and better prepare your users against this growing threat.

Why Use the Keepnet Quishing Simulator?

  1. Increase Awareness of Emerging Threats: QR codes have become commonplace in daily life—from menus to payments, they are seen as a quick, convenient solution. However, attackers are taking advantage of this trust, embedding malicious links in QR codes to compromise sensitive information. Using the Keepnet Quishing Simulator, you can teach your employees the risks associated with scanning untrusted QR codes, which are often overlooked in traditional email-based phishing training.
  2. Realistic Simulations for Effective Learning: With Keepnet's platform, you can create custom QR code phishing simulations that mimic real-world attacks. Employees are sent phishing emails containing QR codes they may be tempted to scan. When they scan the code, they’re directed to a simulated phishing page designed to collect sensitive information. This realistic approach helps employees internalize the dangers of quishing and become more cautious in real-world scenarios.
  3. Comprehensive User Tracking and Reporting: The Keepnet Quishing Simulator provides in-depth analytics and reporting features, tracking user engagement with the phishing attack. You can monitor which users scanned the QR code, clicked on the fallback phishing URL, or submitted credentials. These insights allow security teams to identify vulnerable employees and provide targeted follow-up training.
  4. Phishing Risk Scoring: By integrating quishing simulations into your overall security awareness strategy, Keepnet’s Phishing Risk Score system allows you to gauge each employee's likelihood of falling for phishing attacks. This enables you to adjust training programs for those at higher risk and reduce your organization’s overall attack surface.

Train your users with dynamic simulations and see awareness levels improve by up to 92%. Run QR code phishing tests with Keepnet’s comprehensive suite of tools today and make sure your organization is prepared for the latest threats.

SHARE ON

twitter
linkedin
facebook

Schedule your 30-minute private demo now.

You'll learn how to:
tickTrain your employees to recognize and avoid quishing attacks using dynamic QR code phishing simulations.
tickBoost your defense with customized simulations that reduce phishing success rates and improve employee vigilance against emerging threats.
tickImprove security awareness with detailed reports and tracking, so you can identify vulnerable employees and provide targeted training.

Frequently Asked Questions

1. What is QR code phishing, and why should I simulate it?

arrow down

QR code phishing (also known as quishing) involves using a QR code to direct users to malicious websites or phishing pages. Attackers exploit users' trust in QR codes, especially after the rise in their use during the pandemic. Simulating this type of attack helps security teams assess how vulnerable their users are to this emerging threat and raise awareness around QR code risks.

2. Can I directly generate QR codes using Keepnet Phishing Simulator?

arrow down

No, Keepnet Phishing Simulator does not currently have a built-in QR code generator. However, you can create your own QR code generator externally using a service like Azure and embed the generated code into a phishing simulation email template.

3. How do I ensure my phishing emails with QR codes aren't sent to spam?

arrow down

To prevent phishing emails from being flagged as spam, you need to add the sender's email address to the users' Safe Senders List in Office 365. This can be done by running a PowerShell script that adds your chosen attack email (e.g., hr@example.com) to the trusted senders list for all users. This ensures the email lands in users' inboxes.

4. What should the phishing email template include?

arrow down

Your phishing email template should have:

  • A QR code image that links to the phishing URL (hosted by your QR generator).
  • A fallback phishing URL (text link) embedded in the email body, as some email providers may flag an email with just a QR code as suspicious.
  • A context that seems familiar and trustworthy to users, such as a benefits update or company policy change, to increase the likelihood of interaction.

5. Can I track which users scan the QR code or click on the phishing link?

arrow down

Yes, using Keepnet Phishing Simulator, you can track user engagement, including:

  • Who scanned the QR code (redirecting to the phishing landing page).
  • Who clicked the backup phishing URL in the email body. These actions are logged, and the simulator provides detailed metrics on which users fell for the attack.

6. What results can I expect from a QR code phishing simulation?

arrow down

The effectiveness of a QR code phishing simulation depends on your users’ awareness. For instance, a recent simulation showed a 6% compromise rate, which is higher than the typical 3% compromise for email phishing. This suggests that many users are still unaware of the risks associated with scanning untrusted QR codes.

7. How often should I run QR code phishing simulations?

arrow down

To maintain high levels of security awareness, it is recommended to run phishing simulations, including QR code phishing, at least quarterly. Rotating different phishing tactics—such as quishing, vishing, and traditional email phishing—ensures that users are continuously exposed to new threats and can recognize different types of social engineering attacks.