Security

What is Quishing? – QR Code Phishing Explained

Geraldine Strawbridge

-

Cybercriminals have always been quick to exploit the latest trends, and “QR code phishing” or “Quishing” as it’s often called, is one of their latest attack methods.

QR codes have been around for decades, but their use skyrocketed during the COVID-19 pandemic as businesses adopted them for contactless customer interactions. These square, pixelated barcodes can be read by your smartphone camera and are commonly used for setting up Multi-Factor Authentication (MFA), connecting to Wi-Fi, or simply accessing a website.

While QR codes serve plenty of legitimate purposes, they’re increasingly being weaponised by cybercriminals for phishing attacks. Just like traditional phishing, QR code phishing can appear in emails, text messages, or even printed materials. Essentially, anywhere cybercriminals can trick you into scanning a code. Using clever social engineering tactics, they can prompt you to scan the code without a second thought.

The tricky part? It’s nearly impossible to tell where a QR code will take you just by looking at it. Unlike a traditional phishing email, where you might hover over a link to check the destination, QR codes keep the URL hidden. This gives attackers the perfect cover to hide malicious URLs, leading to malware, fake login pages, or phishing sites designed to steal your sensitive information.

This trend has opened the door for attackers to use QR codes in ways that compromise data security on a whole new level.

How QR Code Phishing Attacks Work

Quishing attacks are a new twist on traditional phishing scams. Typically, phishing involves an email or text with a malicious link, that when clicked, leads to a fake website designed to steal sensitive information or install malware.

What sets Quishing apart is the use of QR codes instead of clickable links. Since security filters can’t easily scan QR codes, attackers embed them in emails to lure victims to fake websites. These sites often mimic trusted platforms like Microsoft Office 365, tricking users into giving away their credentials.

If those credentials belong to someone with high-level access, the impact on an organisation can be catastrophic. In fact, according to recent research, cybercriminals aren’t just targeting random employees, they’re zeroing in on the C-Suite.

Senior Executives are 42 times more likely to be hit with a Quishing attack than the average employee. If an attacker compromises an executive, they can move freely across the corporate network, infiltrating apps, systems, and databases.

Worse still, gaining control of an executive’s email account opens the door to Business Email Compromise (BEC) scams. These fraudulent emails can be used to trick employees or external partners into transferring money or sharing sensitive information. In short, the stakes for targeting the C-suite couldn’t be higher and neither could the potential damage.

Example of a Quishing Attack

Why is Quishing So Effective?

QR codes are everywhere, from restaurant menus to concert tickets, they’ve become such a familiar part of everyday life that most of us don’t think twice about scanning one. Cybercriminals know this and take advantage of our guard being down.

What makes QR phishing attacks even more effective is that many traditional email security tools struggle to detect them. QR codes appear as harmless images and don’t contain obvious URLs or suspicious text.

On top of that, people often scan these codes on their personal devices which are usually outside the protection of their company’s security systems. This gap allows attackers to bypass corporate defences, making it harder to prevent, detect or track potential breaches.

How to Prevent Quishing Attacks

  • Educate Your Team: Train employees on the dangers of Quishing attacks and the risks of scanning QR codes from unknown or suspicious emails. Awareness is the first line of defence.
  • Stick to Trusted Apps: Encourage staff to use reputable QR code scanning apps with built-in security features to help identify malicious links.
  • Double-check URLs: After scanning, inspect the URL carefully before clicking or sharing any sensitive information.
  • Enable Multi-Factor Authentication (MFA): Require MFA to access critical systems. Even if login details are compromised, MFA adds an extra layer of protection.
  • Regular Security Audits: Perform frequent checks to identify and address any vulnerabilities in your systems.
  • Scan for Weak Spots: Use vulnerability scanning tools to uncover gaps in your network that attackers could exploit.
  • Boost Email Defences: Deploy email security solutions to detect and block phishing emails containing malicious QR codes before they hit inboxes.
  • Make Reporting Easy: Set up clear, simple procedures for reporting suspicious emails and QR codes.

With the line between personal and professional devices becoming increasingly blurred, staying alert to threats like Quishing is more important than ever. Organisations should prioritise educating their staff about the risks and adapt their security strategies to protect against this evolving threat.

To find out how we can help protect your business and secure it from unauthorised attacks, get in touch today for further info.