Most of us know by now that we should not follow links sent from suspicious phone numbers or emails accounts. And if we do, whether by accident or not, click on a malicious link, it has become common knowledge that we are meant to be vigilant and never provide our personal and financial information unless we are 100% sure how the information is going to be used. Phishing and smishing have been around for years and we have learned how to deal with them. Unfortunately, as the world of cybersecurity evolves, cybercriminals are finding more and more ways targeting victims. First came QR code scams that we have explored in another article back in 2022. In 2023, however, we have seen a rise in quishing campaigns.

So what is a QR code?

Almost everyone with a smartphone has encountered a QR code in recent years. The two-dimensional black and white squares consisting of pixels set in an intricately designed grid can be found on restaurant tables, event and transport tickets, in museums and galleries, advertising and many other places. QR (Quick Response) codes are typically used for leading the user to a website either storing information such as café menus, useful information on exhibits or personal data. They were widely used during the COVID-19 pandemic when healthcare organizations provided patients with codes containing their most up to date vaccination status that was required for travelling, entering venues and accessing a variety of services. They are also known to be used as a form of contactless payment as well as a way for companies and vendors to request some personal information, like phone numbers and emails, from their customers to subscribe them to newsletters. Unfortunately, bad actors have discovered a way to use them to steal data in a variety of email-based quishing campaigns that are a close relative of phishing but without the longwinded links.

What is quishing?

Quishing is a portmanteau of the words “QR code” and “phishing”. It works almost exactly the same as our old friend email phishing with the only difference being that instead of suspicious-looking links that the victim is required to follow, malicious emails now feature an integrated image of a QR code. Once the code is scanned, the person is led to a website imitating a legitimate one and is normally required to input their personal and financial details that cybercriminals are then able to access and either use it themselves or sell on hacking forums and websites for profit. Alternatively, they can lead to a downloadable virus or malware, which begins downloading automatically as soon as the code is scanned.

Same as phishing, emails containing malicious QR codes will pretend to be from official entities such as utility and delivery companies or shopping websites. Given that the origin of QR codes remains untraceable when embedded as a regular image, scammers can take advantage of this feature to bypass security filters by including them in emails. This way the email is less likely to end up in a spam folder and has higher chances of fulfilling its purpose.

Why should I care?

There has been a spike in quishing attacks in recent months. According to a malware analyst at HP, the use of QR codes instead of URL links “is a way to force a user to move from a desktop or laptop to a mobile device, which might have weaker anti-phishing protections” (source). There is some anecdotal evidence that there has been a rise in quishing, and QR code scams in general, since the COVID-19 pandemic when numerous businesses started using QR codes to encourage contactless transactions.

As with phishing, quishing might be hard to spot as cybercriminals are constantly upgrading their skills and keeping track of the latest developments in cybersecurity. By pretending to be legitimate organisations or by making emails sound like internal company communications, hackers are able to craft phishing lures that target entire organisations for days before anyone notices.

In one of the recent attacks, an unknown bad actor sent an email claiming to contain employee payroll information sent from the organization’s human resources department to an agricultural company with over 16,000 employees. The email included a QR code which, once scanned, opened a fake SharePoint login screen designed to steal credentials.

Another large-scale quishing campaign targeted a major unnamed energy company in the US that has received over 1000 emails with malicious QR codes. Created to steal Microsoft credentials specifically, the emails prompted victims to scan the QR code attached in order to “mitigate theft and help protect [their] account” (source). The hackers created a sense of urgency by adding phrases like “you are mandated” and giving a deadline of 72 hours to do what the email asks.

As quishing emails containing QR codes are harder to spot by email security filters, the security of companies and individuals relies on the recipients awareness in the moment. A single employee falling victim to a QR code scam can cause major damages to a company.

How can I protect myself?

1. Be aware – it sounds like common sense but staying vigilant and assessing emails requesting  recipient to scan a QR code critically is the number one advice.

2. It’s all in the details – who is the sender? What is their email address? Sometimes the sender will claim to be a specific individual or an internal company department, while their email address will contain a random string of letters and numbers or an incorrect domain.

3. Grammar – we don’t have to have language degrees to spot basic spelling errors and lack (or overuse) of punctuation. We all make mistakes, however official communications tend to be more polished and a certain level of grammar should be expected.

4. A sense of urgency – oftentimes hackers will create a sense of urgency so that their victim acts before thinking it through. If unsure, get in touch with someone within the company to double check the legitimacy of suspicious communication.

5. Be cautious of the information you provide – if it feels like you are being asked for too much information, you probably are.

6. Keep your devices up to date – this step will ensure that the latest security measures have been implemented and your device is less likely to let through harmful messages.

Sources:

https://www.techtarget.com/searchsecurity/feature/Quishing-on-the-rise-How-to-prevent-QR-code-phishing

https://www.proofpoint.com/uk/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing

https://cybernews.com/news/massive-phishing-campaign-exploits-qr-codes/

https://www.zdnet.com/article/quishing-is-the-new-phishing-what-you-need-to-know/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.