The New Phishing? It's Quishing.

QR Code Phishing Attacks

“Always think twice before scanning QR codes.”

What is quishing? 

Using QR codes to fool an individual or a group by presenting something as innocuous or essential when, in reality, the true intent is anything but – is quishing. The objective is to gain access to your information, hack your bank account by stealing credentials, and potentially much more. 

QR codes are virtually everywhere these days. They’re seen in restaurants, retail stores, airports, mobile payment systems, supply chains and more – serving as a convenient way to swiftly access information.  

And with anything convenient, we all tend to be less guarded. This has created a near-perfect environment for cybercriminals to do their thing – exploit unsuspecting users so they can access their private information or install malware on their device.  

How do QR codes work?

QR codes operate by encoding information in a concise, square arrangement of black and white squares. A QR scanner or smartphone camera reads these patterns, interpreting the distinctive configuration of squares and converting it into digital information, ranging from text to website URLs or other data formats. The popularity of QR codes stems from their capacity to store significant data within a compact space and their ease of scanning, rendering them a versatile tool for rapid data retrieval and effortless user interaction.


How Quishing Works Graphic. Source: Google Images.

Why quishing is a problem. 

The widespread use and convenience of QR codes has led to a level of trust in them. After all, how harmful can a simple QR code be? Turns out, it’s quite significant. Cybercriminals exploit the assumption that most consumers perceive QR codes as harmless and mobile phones have become a prime target. First, most people inherently trust QR codes because they’re ubiquitous. Second, most desktop operating systems have phishing protection providing a layer of defense that mobile phones often lack.  

Sample QR code phishing attack in email. Source: Google Images.

How to protect yourself: 

• Be cautious if you receive QR codes in emails, text messages, or through social media from unknown senders. If the sender or message seems unfamiliar, don’t scan the code. 

• When receiving a QR code from a familiar and trustworthy company, contact them directly to validate its authenticity before scanning

• Stay alert to QR codes that create a sense of urgency, play on emotions, or exhibit poor grammar as potential signs of phishing attempts.

• Prior to scanning, verify that the URL aligns with the website you anticipate visiting to avoid potential security risks

• Avoid providing sensitive details, such as login credentials or credit card numbers, to websites accessed through QR codes.

Fun facts about QR codes

• In 1994, Denso Wave, a Japanese corporation and a subsidiary of Toyota Motor Corporation, developed QR Codes to monitor automobile parts during assembly.
  
  
• According to the threat intelligence vendor, there was a 51% increase in incidents in September compared to the entire period from January to August 2023.
  
  
• ReliaQuest also observed a rising interest in this tactic on cybercrime forums, where members shared QR code generator links, articles on quishing techniques, and tips like using Telegram to send QR codes and direct victims to crypto phishing sites.
  
  
• The report highlighted that quishing exploits "user ignorance and the lack of enterprise protection on personal devices frequently used for code scanning," predicting that this trend will continue to grow.

Do you need to protect your business against quishing attacks? We can help. Call 708-593-3516 or email us info@scsprotect.com.

SOURCES

(1) CBS News
(2) Cyber Security News
(3) ZDNET
(4) AZTech IT
(5) Purdue University
(6) Wikipedia