QR codes have become ubiquitous in our digital lives, offering a quick and convenient way to access content. However, their simplicity and widespread adoption also present some glaring cybersecurity risks. With Lucy, QR codes can be used as a hands-on teaching mechanism to illustrate both the power and the perils of this technology.

In general, QR codes can be used anywhere a traditional hyperlink would work. In practice using a QR code can change the way your users interact with the material, and this should be considered when designing your QR-based campaign. This example will cover a basic hyperlink campaign using a QR code in place of the link, but there are many creative ways to use QR codes in your training.

On the homepage, click +New Campaign and select the hyperlink attack scenario, then click Next.

In the next step search for a QR template and select it, then click Next.

Give the campaign a name and client. Optionally, choose an end date for the campaign and/or have a report sent to you by email when the campaign stops.

For awareness campaigns you can use your system domain, but for attacks it's strongly recommended you use a separate domain dedicated for this purpose. This page might be useful to you: domain configuration in Lucy

Whatever domain you choose, make sure the sender email is the same domain (including the subdomain if present).

Select your template's language. You can edit the content of the email here, but there are more editing options available after we finish with the wizard.

We'll add an awareness exercise to the campaign and send it to anyone who falls for the attack. You can use the system domain here to host the awareness content, and once again be sure the sender email domain matches.

Add a recipient group to the campaign and click Next.

If you don't see your recipient group in the options, check the group's client. It must be the same as the campaign's client.

Review and confirm all your settings and then initiate a test run to confirm the campaign is working. If you like you can instead select Go to campaign to configure things like additional groups, templates, a schedule, and more. If you're ready, select Start campaign to initiate the campaign and send the emails.

QR codes function like hyperlinks - when the link is opened it sends a packet back to Lucy containing click data. With this in mind, it should be clear that QR codes can be inserted into Lucy templates anywhere a hyperlink can be used. Whether that is in the email message itself, hosted on a landing page, or even printed and left next to the coffee machine in your office, QR templates work seamlessly with existing Lucy use-cases while also offering increased testing capabilities.

In order to use QR codes in your templates we've introduced a new template variable: %qr-code%. Insert this variable anywhere you would use a hyperlink, and Lucy will automatically generate the appropriate QR code complete with tracking hash. Use this QR-code in email messages, on landing pages, or print them and use them in the real world!

This variable is only available in version 4.14 or above.

QR codes work similar to barcodes; a collection of black and white pixels are arranged in a specific pattern that computers can read and translate into data. Often this data is a link to something like a restaurant menu or an event ticket, but QR codes might also contain more sensitive information like login details or payment information.

All QR codes have the following structure:

• Quiet Zone - an empty white border around the perimeter of the code. To ensure readability this area should be at least 4x as wide as the smallest cell in the code.
• Finder Patterns - Three squares located in the bottom-left, top-left, and top-right corners that identify the QR code's correct orientation. Thanks to these, QR codes can be read no matter what orientation they are scanned in.
• Alignment patterns - Smaller than finder patterns, these appear in QR codes to help the camera read the code even if it is partially obscured or distorted.
• Timing patterns - Alternating black and white cells that extend from two sides of the code, these patterns tell the scanner how large each data module within the code is to ensure accurate reading.
• Version - In QR codes version 7 and higher this area contains version information, which directly correlates to the code's capacity to store data.
• Format - This area contains details about the codes error-correction level and the pattern of the mask used in the code's generation. Error collection allows for the successful scanning of partial, obscured, or damaged codes.
• Data - Everything else that isn't part of the above modules is the actual data stored in the QR code.

To-do: document QR code creation that includes tracking hash data so stats can still be tracked