THE 2024 CYBERSECURITY TRENDS & INSIGHTS REPORT IS PUBLISHED!  READ THE REPORT HERE

Quishing: How QR Code Phishing Works and 4 Ways to Prevent It

quishing

What Is Quishing (QR Code Phishing)? 

Quick Response (QR) codes have become an integral part of our daily lives. However, with this increasing prevalence comes a new kind of threat: quishing. A portmanteau of QR code and phishing, quishing is a fraudulent activity where attackers create malicious QR codes to steal sensitive information.

state of phishing demo cta

In a quishing attack, a user scans a QR code, thinking it’s from a trusted source, and is redirected to a malicious website or prompted to download malware. Typically, the attacker’s end goal is to trick the user into divulging personal information like credit card details or login credentials.

Quishing is a serious concern because it’s not possible for users to differentiate between a genuine and a malicious QR code (unlike traditional phishing attacks where there are often warning signs of an inauthentic message). More significantly, existing anti-phishing mechanisms rely on analyzing text and links within suspicious emails. Quishing emails are typically delivered as image files, with no textual elements, allowing them to bypass email security systems.

Quishing Impact and Consequences 

Damage to Consumers

Quishing poses a significant risk to consumers, and can lead to financial loss and identity theft. For example, a consumer may scan a QR code in a public place, like a café or a bus stop, thinking it leads to a promotional offer. Instead, they’re directed to a fraudulent website where they’re tricked into entering their credit card details. This information can be used by attackers for unauthorized purchases or sold on the dark web. 

Quishing can also lead to the compromise of personal accounts. For example, attackers might send a QR code by email, supposedly from a social media platform. The user is directed to a malicious site and asked to enter their credentials. The attacker compromises the credentials and uses them for identity theft.  

Data Breaches

Quishing attacks can also lead to significant data breaches within organizations. Consider a scenario where an employee scans a QR code, believing it to be an internal survey from their employer. This QR code, however, is a quishing attack designed to capture login credentials. Once the attacker gains access to the employee’s account, they can move laterally within the organization’s network, accessing sensitive corporate data. 

Scenarios like this can result in major data breaches involving customer information, trade secrets, and other confidential data. Such breaches not only lead to financial losses but also damage the organization’s reputation, compliance violations, and legal exposure.

Business Compromise

Beyond data breaches, quishing can be a gateway to more severe business compromises such as financial fraud and network infiltration. Consider a scenario where an attacker uses quishing to trick employees into making fraudulent financial transactions. For example, a QR code disguised as a vendor payment request could lead to a fake banking portal, resulting in funds being transferred to the attacker’s account.

Another high impact scenario is that an attacker could use a spoofed QR code to deliver ransomware into an organization. By sending a carefully crafted email to an individual with administrative permissions, the ransomware can spread across a network and lead to critical business data held hostage for a ransom. 

How Quishing Attacks Work: Methods and Techniques 

Spoofing

Spoofing, in the context of quishing, involves creating malicious QR code that mimics a legitimate one from a trusted authority or brand. For example, the QR code might appear within a poster that uses a recognized brand’s logo and imagery, or it might be embedded in an email that apparently comes from a trusted vendor’s website domain.

In a QR attack based on spoofing, attackers take advantage of two trust elements: a user’s familiarity with a brand or organization, and their assumption that a QR code will always lead to a safe destination.

Creating a Sense of Urgency or Opportunity

Like in traditional phishing attacks, quishing attacks might use urgency or a missed opportunity, to cause a victim to scan a QR code without carefully examining it or considering the consequences.

According to a consumer warning issued by the U.S. Federal Trade Commission (FTC), here are common urgency tactics used in quishing attacks:

  • Covering up the QR code on a parking meter with a malicious QR code. This exploits the urgency of paying for one’s parking and getting on the way.
  • Sending a message saying a package could not be delivered, with a QR code to contact the sender or reschedule.
  • Pretending there is suspicious activity on the victim’s account, and they need to confirm information to prevent the account from being frozen.

Fake Websites and Transactional Processes

Scammers are becoming increasingly sophisticated in their approaches, and this includes using meticulously crafted fake websites and processes in their quishing attacks. This method involves creating a scenario designed to trick the user into providing their sensitive information.

For instance, a user might scan a QR code that appears to be from the bank. It leads to a site that looks identical to the bank’s official website. The user is then prompted to enter their login details, supposedly to verify your account or update your security settings. The credentials are then sent to the scammer.

Redirecting to Fake Interactive Voice Response (IVR) Systems

A more advanced quishing technique involves redirecting victims to fake Interactive Voice Response (IVR) systems. This can be particularly effective because it mimics the behaviors of legitimate businesses. The use of a call instead of a website can create a false sense of security, making it more likely for the user to disclose sensitive information.

In a typical scenario, a user scans a QR code that purports to be from a well-known company. Instead of being taken to a website, they are connected to a phone number. The number will provide an automated voice system that requires the user to enter sensitive data such as a credit card number, a social security number, or bank account details. Attackers record the information entered by the user. 

state of phishing demo cta

QR Code Security: 4 Ways to Protect Against Quishing 

If you are an individual, here are a few ways to avoid falling prey to quishing attacks. If you work for an organization, educate employees and users on these best practices to prevent quishing and safeguard your network.

1. Verify the Source of a QR Code

A first line of defense against quishing attacks is to verify the source of the QR code. If you encounter a QR code in a public place, ask yourself if it’s from a trustworthy source. If you’re not sure, it’s best to avoid scanning it.

Also, always verify the source of emailed or messaged QR codes. Cybercriminals often impersonate reputable companies in their phishing attempts. If you get an unexpected QR code from a company, contact them through their official channels to confirm its legitimacy.

2. Use a Reliable QR Code Reader

When choosing a QR code reader, look for ones that are created by reputable software vendors and have positive reviews. Some QR code readers could be malicious software distributed by attackers, or software that is not regularly updated and more susceptible to security vulnerabilities.

Also, some QR code readers have built-in security features. These features may include a warning system that alerts you when a QR code is linked to a suspicious website. Using a QR code reader with these security features can add an extra layer of protection against quishing attacks.

3. Preview the Destination URL

Before you scan a QR code, it’s important to preview the destination URL. This can help you identify potentially malicious websites. If the URL looks suspicious, don’t proceed with the scan. Make sure the URL is under a known domain name and is secure (starts with https://). 

Here is an example of how to do this in a popular QR scanning app, QR & Barcode Scanner. After scanning the QR code, the application shows the destination URL, which in this case is under a reputable domain, nutella.com. Note however that the URL is not secure (starts with http:// without the ‘s’).

Source: Google Play Store

Furthermore, be wary of shortened URLs. Cybercriminals often use URL shorteners to hide the true destination of their phishing sites. If you encounter a shortened URL, use a URL expander to reveal the full URL before scanning the QR code. For example, Urlex is a free website that allows you to expand a short URL to view the destination URL.

4. Advanced Anti-Phishing Solutions

Anti-phishing solutions help protect individuals and businesses from malicious messages that attempt to trick users into divulging personal information, or cause them to visit malicious websites.

However, traditional anti-phishing solutions are blind to quishing attacks, because they are based on images, not text. Perception Point is one of the first email security solutions that addresses the quishing threat.

Perception Point scans all QR codes in messages before they are received by a user. It actually follows the URLs within them to identify if they are malicious. The solution uses image recognition and AI to detect and block quishing attacks at their source before they even get to the end users. 

Quishing-Diagram

Using real-time image recognition models, QR codes are extracted from the body of the email or from attached images and documents (PDFs, Office files, etc.). A proprietary anti-evasion algorithm then follows the URLs to scan them dynamically for any phishing or malware delivery attempts. 

Perception Point phishing detection technology consists of multiple AI and ML detection models including: 

  • Two-Step Phishing: object detection model examines webpages to recognize clickable elements for further scanning (evasion: end users are first presented with a trusted page, clicking an element within it redirects them to the malicious payload). 
  • Login Forms Detection: Computer vision models detect input boxes and login forms, crosscheck them with the URL and identify anomalies and prevent credential theft.
  • Brand Recognition: Comparing email/URL/file screenshots/images/URL favicons to logos and visual assets of known brands to detect spoofing and phishing. The data is analyzed against known ‘clean’ images (e.g. official Microsoft logos) and known ‘malicious’ ones (impersonation attempts caught by Perception Point).
  • Domain Lookalike and URL Lexical Analysis: S-GLocal algorithm incorporates heuristic biological algorithms and modifies them to identify domain lookalikes and impersonation attempts. ML model analyzes the URL structure to find similarities to malicious URLS and to predict whether or not the link is malicious.
  • GenAI Decoder™: LLM-based model utilizes transformers to recognize the patterns in AI-generated text and detects malicious social engineering attempts in the email text.

Learn more about Perception Point quishing prevention

state of phishing demo cta

Rate this article

Average rating 4 / 5. Ratings: 4

Be the first to rate this post.