Skip to main content

How to create a QR Phishing simulation campaign

  • Updated

This article explains how to run a QR Phishing simulation exercise in physical format with SMARTFENSE: create the campaign with a scenario that includes a QR code, print the material, and review the statistics in the campaign Audit.

What is a QR Phishing simulation campaign?

QR Phishing campaigns measure user behavior when faced with a malicious QR code physically placed in the organization (for example, on a poster, elevator, or cafeteria). The flow relies on a Phishing or Ransomware campaign that uses a scenario with QR: the QR is printed and placed in the desired location, and when scanned it redirects the user to the scenario's landing page.

Important considerations

  • Maximum duration: 4 days, like the rest of simulation campaigns.
  • Risk for the assigned user: the user assigned to the campaign will generate risk actions and will have a high Scoring. To avoid this impact you can:
    • Mark the campaign as Test campaign, so no audit record is associated with the user.
    • Or, once the campaign ends, deactivate the user.
  • Removing the physical material: remove the printed QR when the campaign ends to avoid redirects to a 404 error.

Create the campaign

  1. Define the scenario you will use: Phishing or Ransomware, and decide whether to include a Teachable Moment.
  2. From the main menu, go to Campaigns > Calendar.
  3. Click the New campaign button and select Phishing or Ransomware depending on the desired scenario.
  4. Click the More options button, go to Users and select a single user.
  5. Select the scenario with QR you want to use.
  6. Configure the start and expiration dates respecting the 4-day maximum duration.
  7. Define whether you will add a Teachable Moment and the action that will trigger it (for example, entering data on the landing page).
  8. Complete the rest of the campaign details and click the Save button.
  9. Once the campaign is in progress, open the scenario's email, print the QR, and place it in the desired location.
  10. When the campaign ends, remove the QR from the selected location.

Review campaign statistics

Scanning the QR can take the user to the landing page where they can enter data. If they do, a Teachable Moment can be displayed and, optionally, a final validation question.

To review the results:

  1. Go to the campaign Audit.
  2. Open the Users assigned to the campaign tab.
  3. Click on the username of the assigned user to access the detail and view:
    • How many times the QR was scanned, recorded as Link click.
    • Whether they entered data on the landing page.
    • Whether they viewed the Teachable Moment and, if it has a validation question, whether it was answered correctly.

Limitations and privacy notes

It is not possible to identify with precision who scanned a physical QR Phishing: the scan does not reveal the user's identity. Only the general behavior of people who find a physical QR in the organization is measured.

The destination landing page does not store credentials. For that reason, there is no direct link between the scan and a specific person.

馃挕 Best practices

  • Mark the campaign as Test campaign when you need to avoid impact on the user's Scoring and audit records.
  • Document the date, time, and location where you placed each QR to analyze the results with greater context in the Audit.
  • Remove the physical material when the campaign ends to avoid later access and 404 errors.
  • Use a believable design (logo, brief message, and call to action) to simulate a realistic case without causing operational confusion.

Related to

Related articles