Let’s look at the increase in a new form of phishing that uses QR codes, known as Quishing. Here’s what enterprise security leaders need to know.

Quishing on the rise

Cybersecurity researchers recently discovered an extensive phishing campaign utilizing QR codes as bait.

QR code fraud, also known as ‘quishing,’ works much like any other form of phishing and uses QR codes masquerading as legitimate ones work much like any other form of phishing, with criminal hackers masquerading to take the user to a fraudulent website explicitly designed to get people to hand over sensitive information or download malware.

Whereas traditional attacks feature poisoned attachments or bogus links, quashing uses QR codes that direct victims to their fraudulent websites. They do this to avoid malware detection.

The attack vector is relatively new, even though QR codes have been popular since the advent of smartphones. However, the technology has become far more common in the past year or so, and you will often find QR codes as the default option for various activities.

It includes links to adverts, commercial tracking, augmented reality systems, and anything else requiring an individual to access a specific webpage or resource.

Because QR codes obscure the link’s destination– scan the barcode to reach the source – it creates prime opportunities for scammers.

Over the last several months, There has been a sustained amount of squishing activity.

The researchers have been tracking a particular QR code phishing campaign since they first discovered a series of suspicious emails with similar Word documents attached.

Soon they learned that each document contained Chinese text and a QR code. The Chinese Ministry of Finance message told recipients they were eligible for a new government-funded subsidy.

According to the document, users could receive this payment by scanning the QR code, which would link to an application form that asked them to submit their personal and financial information.

However, this is just one form of QR code attack. The researchers also discovered a campaign that appeared to come from a parcel delivery service, requesting payment via a QR code. Meanwhile, others have spotted similar attacks that also use the technology.

Why Quishing is so Successful

There are several reasons for this surge in QR code scams. In addition to their ability to mask the destination address, they also exploit vulnerabilities in how we access content.

QR codes force people to interact with the link via phone rather than navigating to the resource on a computer or tablet. As Schläpfer explains, phones generally have weaker (or non-existent) anti-malware protections, which makes it easier for cybercriminals to plant fraudulent baits.

Moreover, as the researchers investigated these attacks, they learned that scammers often distributed mobile malware designed to steal corporate login credentials as employees entered them into their phones. 

These attacks are not one-off campaigns. Likely, QR phishing is happening at a broader scale using various methods.

How to prevent Quishing attacks

As with any phishing attack, an educated user base is the best defense against quishing attacks. Enterprises should provide security awareness training that includes the following best practices:

  • Never scan a QR code from an unfamiliar source.
  • If you receive a QR code from a trusted source via email, confirm via a separate medium — e.g., text message, voice call, etc. — that the message is legitimate.
  • Stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to your emotions — e.g., sympathy, fear, etc.
  • Review the QR code’s URL preview before opening it to see if it appears legitimate. Ensure the website uses HTTPS rather than HTTP, doesn’t have apparent misspellings, and has a trusted domain. Don’t click on unfamiliar or shortened links.
  • Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials, or payment.
  • Observe good password hygiene by frequently changing your email password and never using the same password for multiple accounts.

Read more:


Malcare WordPress Security