QR Code Phishing (Quishing) on the Rise: How to Stay Protected

QR codes are ubiquitous nowadays, directing users to URLs with a simple tap. However, just like every coin has two sides, these Quick Response codes are also being exploited for nefarious purposes. In fact, a U.S.-based energy firm encountered nearly 29% of more than 1,000 malicious emails containing QR codes in May 2023. Adversaries are increasingly using QR codes in their phishing strategies to:

1. Acquire credentials and personal details
2. Trick victims into paying off hackers
3. Install malware
4. Gain remote access to devices

In this blog post, we’ll delve into quishing, how it works, and ways to protect yourself against this emerging threat.

What Is Quishing?

Quishing is a relatively new term in the cybersecurity dictionary. It’s a blend of QR and phishing, indicating phishing attacks that exploit QR codes. QR codes are two-dimensional barcodes that store information and are often scanned using smartphones to quickly access data or websites. Initially invented to track automotive parts, QR codes have now become a common sight in our daily lives.

How Quishing Works

Quishing operates similarly to traditional phishing, but with a twist. Here’s how it unfolds:

• Widespread Use: Amid the pandemic, service providers embraced QR codes to maintain business continuity while adhering to social distancing guidelines. Users have become accustomed to scanning QR codes.
• Lack of Awareness: Quishing isn’t widely discussed in cybersecurity training sessions or articles, making it an attractive option for bad actors.
• Targets: Common targets include businesses and infrastructures holding financial and personal details. Even individual users aren’t safe; hackers victimize users on platforms like Amazon, LinkedIn, and Wells Fargo.

Why QR Codes Are Vulnerable

• Sophisticated Phishing Emails: Adversaries send phishing emails from impersonated senders (often trusted sources like relatives, friends, colleagues, banks, or reputed businesses). These emails request recipients to scan QR codes and take quick actions.
• Creating QR Codes: Hackers create QR codes, which are easy and quick to generate. Unlike reused links, QR codes are harder for secure email gateways to catch and blocklist.
• Victim Interaction: Users scan the QR codes, expecting harmless redirection. However, these code images lead them to websites containing malware or designed to harvest credentials.

Protecting Yourself Against Quishing

• Be Cautious: Always verify the source before scanning any QR code. If it’s unexpected or seems suspicious, think twice.
• Educate Employees: Organizations should train employees about the risks of QR code scanning and encourage them to double-check with IT before taking action.
• Report Suspicious Activity: If you encounter a suspicious QR code or phishing attempt, report it promptly.
• Stay Informed: Keep up with cybersecurity news and stay aware of emerging threats.
• The best way to protect yourself from quishing attacks is by using a password manager, according to Keeper Security. "With a password manager, your login credentials are protected by different levels of encryption," Keeper states.

Stay vigilant. While QR codes offer convenience, they can also serve as gateways for cybercriminals. Keep yourself informed and exercise caution to protect against quishing attacks.

Contact us if you're interested in password management or cybersecurity awareness training for your organization.