Cybercriminals always seem to find new ways to steal data or make financial gains, but now they’re using images to try executing a new form of phishing — quishing. Just when you thought not clicking on links and checking response email addresses was a good start in becoming cyber-safe, now you need to be wary of QR codes, too.
QR codes (or Quick Response codes) are square barcode-like images that serve many legitimate purposes — allowing quick access to internet-based resources such as websites, products, event information and payment facilities. While QR codes have existed for over two decades, the use of QR codes has increased as more consumers began owning and using smart devices. This was especially evident during the pandemic when QR codes were used as a form of contact tracing.
Despite its funny-sounding name, the intent is still malicious. QR code phishing attacks (“quishing”) use physical or digital QR codes to lure users to fake websites designed to steal sensitive information or to infiltrate a device and infect it with malware.
This is just one of the many types of phishing attacks, a type of scam where attackers attempt to get users to reveal personal information — such as login details or credit card numbers. In fact, a phishing attack takes place every 39 seconds, and an estimated 3,809,488 records are stolen daily due to phishing related breaches.
Like other forms of phishing, quishing relies on trust — trust in the QR code and the organization attached to it. A characteristic of a phishing scam is that it also relies on creating a sense of urgency (e.g. this limited discount offers ends today!) or there’s a ‘consequence’ of not acting (e.g. your account will be locked in 24 hours).
Different forms of quishing
QR codes are available in physical and digital formats, so being exposed to quishing attacks can happen wherever there is a QR code. This is why it’s critical to be cautious and mindful when scanning QR codes to ensure the source is trusted.
There have been some interesting cases being reported in Singapore. In one, a woman visited a bubble tea shop and saw a QR code sticker on the business’ glass door, encouraging customers to complete an online survey to receive a free cup of milk tea.
When the woman scanned the QR code, it downloaded a third-party app onto her Android phone to complete the “survey.” The scammers used their ‘app’ to take over the user’s device and stole $20,000 dollars from her bank account later that evening as she slept.
A similar scenario can take place with a digital QR code whereby the user receives an email from a retailer that contains a QR code to sign up for a new loyalty program or receive a promotional offer. When the user scans the code on their computer screen with their smart device, they are prompted to enter their personal details, including name, address, username and password.
Identifying quishing scams
It is easy to be tricked by quishing attacks, which is why we’re seeing this method of attack continue to grow. With text-based phishing attacks, it is ‘easier’ to verify a link is legitimate before you click it, but it is naturally more difficult to do so with physical QR codes.
The Australian Signals Directorate highlights three key challenges in trying to identify a quishing scam:
- The limited ability of some email security tools to detect and block malicious links embedded in images.
- Hiding the link in an image limits your ability to check its legitimacy prior to scanning the QR code.
- For business environments, users receiving quishing emails sent to their work email address may scan a malicious QR code using personal devices, which may not be subject to the organization’s cyber security controls and monitoring environments, making it difficult to prevent, detect and track potential compromises.
Nefarious QR codes stemming from quishing attacks are hard to spot. Here are a few recommendations to help protect yourself:
Verify the source is legitimate
QR codes are everywhere, so if you see one in an unexpected place, inspect the URL before opening it, especially if the source is unknown. If the QR code displays a link, make sure you recognize the URL, and even if you do, look for misspellings or a switched letter, just in case.
If you think that the message looks legitimate, you can also verify the validity of the sender by using a phone number or website that is confirmed to be authentic to verify the information. Placing a new fraudulent QR code sticker over a legitimate one is very easy. Be cautious if you come across physical QR codes that are sticker-based, unbranded, or placed in unusual locations.
Likewise, QR codes delivered by email should always be treated with extreme caution. If you are ever in doubt but still wish to find out more, contact the organization directly to verify the request/offer associated with the QR code. However, until you verify the source, the simplest thing you can do is not scan QR codes.
Think before sharing personal information or making payments
As phishing attacks become harder to identify and use new tactics, such as QR codes, it’s crucial to stay vigilant. Be cautious of websites requesting personal, login, or financial data. Also, avoid suspicious methods of payment, such as PayPal, Venmo or e-Transfer and avoid debit cards, which are not protected. Opt for a credit card with consumer protection for any purchases. Due to a QR code interaction, never disclose banking information or wire transfer funds.
Enable strong, phishing-resistant MFA across your accounts
Implementing multi-factor authentication (MFA) offers stronger security than relying on legacy systems like usernames and passwords. However, not all MFA methods provide the same level of protection. Enabling MFA wherever possible will help bolster defenses against phishing attempts.
Look for MFA solutions resistant to phishing, such as device-bound passkeys, including hardware security keys. Security keys stop phishing attacks by requiring something you know (a password) and something you have (a security key) to insert into the device and physically touch it to gain access to accounts.
Final thoughts
Communicating or engaging with technology has become fraught with potentially dangerous situations threatening our digital identities, but it doesn’t have to feel that way. Remember that if you receive an unexpected email or text with a QR code, don’t scan it, especially if it urges you to act immediately. With the right knowledge or awareness of scams and armed with phishing-resistant MFA tools, navigating the web-based world can become a bit less stressful.
This article was written by Geoff Schomburgk from e27 and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.