QR codes are usually used in public settings, notably on flyers and restaurant menus, but they also appear in online communications such as emails. These black-and-white square patterns have seen a meteoric rise recently, going from a niche industrial tool to a widespread replacement for links in physical mediums.
As with any new technological medium to share information, hackers have been paying attention.
Phishing using QR codes has been dramatically increasing in recent months and has played a part in major attacks. The primary targets seem to be C-suite executives, with a recent study identifying that these executives receive 42 times more malicious QR codes.
As people are regularly expected to use QR codes in public settings, this technology has become banalized, and users have thus become less vigilant about them. These bad habits are making their way into the workplace.
Quishing has become so widespread that it is estimated that 2% of all QR codes are malicious. This article will discuss the rise of quishing, its recent evolutions, and how you and your team can learn how to protect sensitive data.
What is Quishing?
Quishing is a form of phishing that uses QR codes to direct users to fraudulent websites to steal their credentials or install malware on their devices.
The main goal of quishing is credential theft through brand impersonation. However, this method is also used to install malware, as many people are under the impression that smartphones are safe from hackers, often unaware that mobile security software exists.
Recent Quishing Incidents
Several recent incidents highlight the increasing prevalence and sophistication of quishing attacks:
- A major US energy company has been the target of a QR code phishing attack aimed at stealing C-suite credentials.
- In recent months, a widespread quishing campaign targeting several companies has been underway. These hackers spoof official Microsoft security emails or Salesforce and Cloudflare to deceive users.
- The city of Austin has warned citizens about a scam involving fraudulent QR codes to pay for parking. Over 100 parking meters were targeted in this attack, and several other cities have reported similar scams.
- The crypto industry is also facing widespread QR code scams, with flyers being printed to link to fake crypto wallets.
- A Calgary family also lost $10K to a scam involving a QR code to pay for a stroller bought over Facebook Marketplace.
These attacks have been launched against major businesses using QR codes to sidestep established email security software that isn’t yet equipped to spot these types of links.
When led against individuals, hackers rely on users who have received little or no training on quishing, resulting in increased success of these attacks.
Why Quishing is Effective
QR code phishing is broken down into two main categories:
- Email QR codes: These codes are added to emails by hackers hoping that people won’t think twice about adding such a code to an email where a link would’ve sufficed. These codes are often easier to slip past email security software programmed to analyze traditional links.
- Physical QR codes: Since COVID, QR codes have become ubiquitous in brick-and-mortar businesses. This widespread use presents numerous opportunities for hackers. They can replace legitimate flyers and posters with malicious versions or alter existing QR codes to suit their needs, potentially infecting users' phones.
Hackers have been relying on QR codes as an attack vector because they are often used in situations where users are less vigilant and might forget to perform phishing checks. Adding a QR code to an email is also an excellent way to throw off users who are used to typical phishing emails.
How to Prevent QR Code Phishing
To combat the threat of quishing, individuals and organizations must adopt proactive measures:
- Educate and Train: Regular cybersecurity awareness training is essential. Educate employees and users about the risks of scanning QR codes and the importance of verifying their authenticity.
- Implement QR Code Verification: Use tools and applications that can verify the safety of QR codes before they are scanned. These tools can alert users if a QR code redirects to a suspicious or known malicious site.
- Secure Distribution: For organizations distributing QR codes, ensure they are placed in secure, tamper-proof locations. Use unique identifiers or digital signatures to authenticate your QR codes.
- Regular Monitoring: Continuously monitor for fraudulent QR codes, especially in areas where your codes are publicly accessible. Quickly remove and replace any tampered codes to minimize the risk of successful attacks.
- Use mobile security software: As smartphones have become ubiquitous, hackers have become very aware of their weak security. Security software is mandatory for any business smartphone.
- Deploy advanced email security: As this attack vector becomes more popular, ensure your existing email security software can scan QR codes.
- Device policies: In some cases, the best solution is restricting user access via strict device policies. If your organization does not need QR codes, write a policy stating that they should never be scanned using company devices.
Looking Forward: Staying Ahead of Quishing Threats
QR codes are very convenient in many situations, so businesses are bound to keep using them and innovate methods to make them safer. Asia, in particular, has been using QR codes for payments for years without significant issues.
QR codes are no less secure than a typical link to direct users to content; the issue lies more in the lack of knowledge of this technology. QR codes will become safer as businesses and users become more aware and educate themselves on the risks.
Ready to integrate QR code training into your cybersecurity awareness campaign? Check out our preview videos on the subject here.
