10TH OCT 2024
QR codes have become a quick and easy way to access information, make payments, and connect with services. They make mundane tasks very easy. But with convenience comes risk - enter QR code phishing. Today we're going to learn about it and how to prevent QR code phishing from happening in the first place.
QR phishing, also known as quishing, is a form of phishing attack in which an attacker deceives a victim into scanning a QR code. This will typically lead them to a website, app or link that requests or steals the user’s credentials and personally identifiable information (PII).
Unfortunately, these sources are fraudulent, and entering your credentials allows the attackers to gain access to your account.
Quishing attacks operate similarly to traditional phishing schemes, but instead of a text link, this scam uses a QR code. When a user scans this code, their device retrieves the associated link and directs them to a link or website that steals their information.
Although quishing employs many of the same tactics as traditional phishing, the use of QR codes makes it much harder to detect and block. Unlike a text link in an email, which can be identified by simply reading the message, QR code phishing uses an image that must be decoded to reveal the URL. This makes identifying quishing much harder.
In May of 2023, a woman at a bubble tea shop unknowingly scanned a QR code that looked perfectly legitimate. She had no idea that this innocent action would lead to the installation of a harmful app, giving hackers full access to her phone’s apps, microphone, and camera.
Through this, the cybercriminals were able to monitor her activities, capturing sensitive information - including but not limited to her bank details, ultimately stealing $20,000 from her accounts.
During the same year, Washington University in St. Louis shared a blog post discussing a phishing campaign that utilized malicious QR codes to target members of the WashU community. When victims scanned the QR code included in the phishing email, they were taken to a fraudulent WUSTL Key login page.
The page requested the victim's login credentials. The attackers even went so far to threaten suspension of the recipient's account if they didn’t scan the QR code. Fortunately, the information security team at WUSTL promptly informed the community about the threat.
Scammers may also attempt to steal credentials through DocuSign branded PDFs containing quishing QR codes, intended to lure victims to fraudulent Microsoft login pages.
At the individual level, the easiest way to steer clear of a quishing attack is to avoid scanning any QR codes from unknown sources. This can however be challenging, especially in large organizations.
Some steps firms can take to prevent QR phishing attacks are:
Employ a QR code scanning filter. For example, organizations can opt for email security solutions that can analyze QR codes to identify fraudulent links.
Phase out the use of QR codes for multifactor authentication. Given their potential for misuse, avoid using QR codes for MFA or other legitimate purposes, to prevent employees from trusting emails containing QR codes.
Educate employees with training. A gamified training program that offers a QR code phishing simulation that could help businesses protect themselves from quishing attacks.
QR code phishing scams cleverly exploit our trust in seemingly harmless codes, making it essential for individuals and organizations alike to stay vigilant. Awareness is key, the more informed you are about the threats posed by quishing, the better equipped you’ll be to navigate the digital landscape safely. Stay alert, and remember: if something looks suspicious, it’s always best to double-check before you scan. With these tips in mind, you know how to prevent QR code phishing from wreaking havoc.
