Cybercriminals are increasingly using QR codes in their phishing campaigns to trick users and obtain their email account information, credentials, or sensitive data. This tactic to obtain credentials known as quishing, or QR code phishing, was first observed at scale in May of this year, when a group of cybercriminals spoofed Microsoft security alerts asking employees across multiple industries to scan a QR code to update their account security settings. Once users scanned the QR, a redirect link took them to a fake web page that asked for their credentials to sign into their Microsoft account.
Cybercriminals have continued to exploit this new technique ever since this widespread attack. In fact, a recent report found that 22% of phishing campaigns detected in the first weeks of October deployed this strategy.
How does quishing work?
When carrying out a quishing attack, cybercriminals start by creating a fake QR code that leads to a fraudulent website impersonating the login page of a corporate account. This website can be used to download malware onto the victim's device or request sensitive data such as their credentials or other information like credit card numbers or banking details. In a quishing attack, malicious code can be distributed in different ways:
- Information announcements
- Restaurant menus
- Personal mobility services
Companies are more likely to fall victim to a quishing attack via their corporate email. This is because cybercriminals, in addition to hiding threats in QR codes, also abuse trusted domains, using obfuscation tactics and concealing URLs within QR codes embedded in PNG or PDF attachments. These techniques help emails reach inboxes undetected by security filters.
How to avoid becoming a victim of quishing?
As with any type of phishing, it is critical to protect your business against quishing attacks, so staff need to be instructed on how to identify and avoid these attacks. It is crucial to establish good practices such as:
- Checking the legitimacy of the sender: Whenever you receive a QR code by email from a source that looks authentic, confirm the legitimacy of the message via another means, such as a text message or a phone call.
- Watching for the warning signs of a phishing attack: These attacks often use social engineering techniques to deceive people, so be vigilant for telltale signs such as a sense of urgency or appeals to the emotions.
- Looking at the URL of the QR code before opening it: Sometimes it is possible to check the URL preview in the code to work out whether it looks suspicious or not. However, be wary of any URL that leads to a site that asks for personal data, login credentials, or payment.
- Maintaining good password hygiene: Change email passwords frequently and avoid reusing the same password for more than one account.
In addition to staff training, you should implement layered security controls that detect and block these attacks or other types of phishing attacks:
This solution serves as the first line of defense against phishing attacks by detecting suspicious emails and deleting them.
If an employee were to scan a malicious code, an endpoint protection solution would be able to detect both fake websites and malicious URLs as well as suspicious processes or unusual behavior, which would prevent the attack from proceeding.
New attack techniques like this one highlight the importance of having a layered defense system that can detect and stop advanced threats at any level.
If you want to learn more about how to protect your organization with a multi-layered security approach, check out the following articles in our blog:
- Strengthening Security: The Power of Multiple Layers Against Advanced Threats
- 3 reasons why SMBs need comprehensive, multi-layered cybersecurity
- eBook - Choosing a Better Together Security Approach