One of Europe's largest operators of energy networks and energy infrastructure, the E.ON Group provides innovative solutions for approximately 47 million customers. They are decisively driving forward the energy transition in Europe and are committed to sustainability, climate protection, and the future of our planet.
Make security awareness so engaging to 80,000 global employees that it drives measurable and lasting behavior and culture change. All while satisfying government and German Workers Council requirements.
In addition to achieving unicorn-level security awareness and phishing training results for a large enterprise, EON launched a QR phishing campaign using physical stickers that drew a fantastic response from employees globally.
Key takeaways
"We at E.ON want to keep our employees safe from the latest threats. We greatly appreciated the way Hoxhunt worked with us to create a bespoke campaign that would take our security awareness and culture to the next level." -- EON Security Awareness Manager
QR codes are useful and ubiquitous tools for accessing information today, from restaurant menus to gym workout plans. EON worked with Hoxhunt to create a fun learning experience using QR codes that would expand security awareness from the digital classroom to the physical work environment.
EON takes security awareness and culture seriously. Their results with Hoxhunt have been stellar. Every relevant metric has improved by orders of magnitude, from soaring training engagement and phishing simulation reporting rates, to shrinking failure rates.
Still, they understand that some people can be best reached in outside-the-box ways. So EON sought to extend their security culture by reaching employees in new and creative ways. The EON security team worked with Hoxhunt and Marine Pastor to create a campaign that reminded people to take the vigilance learned in training with them wherever they go.
"We want to make sure there's no confusion: We're not telling you to avoid QR codes altogether. It's like being cautious with emails. Our advice is simple: think before you click or scan. Stay alert, and don't trust websites blindly." -- message from the security team to E.ON employees on the DON'T SCAN! campaign
In addition to QR phishing simulations delivered via Hoxhunt training, QR codes were printed out with the text, “DON’T SCAN” above them. The stickers were distributed across workspaces in 8 countries. If workers scanned them, they were shown a landing page that gently reminded them of the dangers of malicious QR codes in both the physical and digital realms.
In an internal survey, E.ON found that 70% of survey respondents said they'd seen the QR Code at their worksite but did not scan.
"We published an article about the Don't Scan QR code campaign on our intranet and 20% of employees saw the article where we revealed the campaign. To reach 20% with that content was a huge success for us. It was probably one of the most-seen articles within our intranet." --EON Security Awareness Manager
The results showed that many people noticed the codes but did not interact with them, while many others had interacted with a QR code even when it said “DON’T SCAN.” But the point wasn’t to catch and punish people. It was to educate them:
"The only goal of this campaign was to raise awareness about this specific topic and we are happy about everyone who scanned, and even those who didn't but saw the QR codes :)"--message from the security team to E.ON employees on the DON'T SCAN! campaign
Their follow-up survey revealed an overwhelmingly positive response to the awareness campaign. All in all, the EON DON’T SCAN! awareness campaign helped drive home the importance of cyber vigilance in an innovative and clever way that few enterprises have tried, but all would do well to try.
"The DON’T SCAN campaign provoked heightened awareness in our employees and excellent discussion within the security team. Many were unaware that malicious QR codes existed. But learning about QR phishing attacks in a supportive and non-judgmental way helped open their eyes to the broader problem of social engineering.--EON Security Awareness Manager
EON made sure to work with Hoxhunt to create an interactive awareness campaign with messaging that extended the positive psychology of the training experience into the physical world. If people scanned the DON’T SCAN stickers, they weren’t shamed and punished; they were coached on how towards safety and success, with language like this:
“Curiosity is a powerful human quality that malicious actors use to increase the efficiency of scams and phishing campaigns. Fortunately, we are not malicious actors and we do not want your password or payment information. Our goal is to ensure your safety and that of your employer from scams. We are here to help you stay safe online!” -- message from the security team to E.ON employees on the DON'T SCAN! campaign
Some called 2023 the year of the QR Phish. By conservative estimates, Hoxhunt saw at least a 22X surge in QR phishing campaigns between January and October 2023; they were negligible in years past. Check out the 600,000-user QR Phishing benchmark study that Hoxhunt performed in the fall of 2023.
It showed that while QR codes were good at bypassing email filters, they were less effective than traditional malicious links at tricking people into interacting with them.