Not on your Quishlist

QR code phishing, or "quishing," is a sophisticated social engineering attack designed to trick individuals into scanning a QR code that redirects them to a malicious website. These deceptive codes, often embedded in emails, bypass traditional security controls and filters, making them particularly dangerous compared to other phishing methods.

The Rise of QR Code Technology

QR codes, or quick-response codes, were invented in 1994 by Denso Wave, a Japanese automotive company, to assist in labelling parts. These codes, which contain data in black-and-white square patterns deciphered by Reed-Solomon error correction, have evolved significantly since then. Unlike traditional one-dimensional barcodes, QR codes can be scanned from multiple directions, allowing for greater versatility and ease of use.

While QR codes began to see broader applications as early as 1997, their adoption has surged in the past decade, particularly during the COVID-19 pandemic. It is projected that by 2025, over 100 million U.S. smartphone users will scan QR codes regularly. Of course with every convenient and ubiquitous helpful technology for humans, there are bad actors who are going to exploit it to scam us out of our hard earned cash.

How QR Code Phishing Works

Similar to traditional phishing emails, quishing scams mimic legitimate marketing emails from trusted sources like financial institutions. These emails often convey a sense of urgency, urging recipients to scan a QR code immediately. Scanning the code redirects the user to a fraudulent website that may request login credentials, personal information, or initiate a malware download.

Despite numerous resources on identifying and reporting traditional email phishing, quishing remains relatively under-discussed, making it an attractive option for cybercriminals. The ubiquity of QR codes in everyday life—from newspapers and magazines to public spaces—further exacerbates the risk. In places where you’d least expect it – parking stations or restaurant tables that use QR codes, scammers can simply stick a replacement QR code over the legit one, which will direct people, who are usually busy or not looking for a scam, to a website that looks kind of like it should, and then enter their credit card number and off the scammers go to the bank.

Risks and Consequences

Quishing poses significant risks due to its ability to circumvent most security filters. The consequences of falling victim to such scams are severe and multifaceted.

Harm to Individuals

Victims of quishing often have malware installed on their devices, leading to the theft of personal and financial information. This can result in compromised devices, identity theft, and financial fraud.

Corporate Financial Implications

The primary goal of quishing scams is typically financial gain. A 2021 study revealed that large organisations suffered losses exceeding $15 million from phishing attacks, averaging around $1,500 per employee. Moreover, direct financial losses from phishing attacks have increased by 76%, according to Proofpoint's "2023 State of the Phish" report.

Data Security Concerns

Quishing scams frequently lead to data breaches, compromising sensitive consumer information. These breaches not only expose confidential data but also damage the reputation of the affected company, leading to a loss of customers and revenue.

Preventive Measures

Recognising Legitimate QR Codes

To avoid falling victim to a quishing scam, it is crucial to verify the source of any QR code received via email or automated text message or if using one while out and about or in public spaces, inspect QR codes for signs of tampering, such as hidden codes underneath and pay close attention to the site you are directed to. Be cautious of codes received unexpectedly or from unfamiliar senders. When in doubt, contact the purported sender directly to verify the QR code's legitimacy or do not proceed.

Applying Best Mobile Security Practices

Using a smartphone's preinstalled camera app is sufficient for scanning QR codes, eliminating the need for additional scanning apps. Strong password practices are essential for protecting against cyberattacks. Use passphrases that include a mix of letters, numbers, and special characters, and employ different passphrases for different accounts to enhance security.

Enabling multifactor authentication (MFA) on accounts that support it adds an extra layer of security, making it more difficult for hackers to gain access. Additionally, installing security apps or antivirus software can help block malicious links and downloads, providing a reliable defense against quishing scams.

Staying Informed on Phishing Tactics

Continuous education on evolving phishing tactics is vital for both individuals and businesses. Quishing emails often emphasise urgency to manipulate recipients emotionally. Carefully review the sender's address and the content of the email, looking out for spelling errors or incorrect information. Remember, no legitimate email will demand personal or sensitive information. The majority of cyber attacks and scams or hacks are still the result of human error, mostly due to the increasing sophistication of scam sites, and our multitasking too busy lives where we are doing everything on the go and at times miss subtle red flags.

As QR codes become increasingly embedded in our daily lives, the threat of quishing grows. By staying vigilant, employing robust security practices, and continuously educating ourselves on new phishing tactics, we can protect against this emerging cyber threat while not losing the convenience of the QR.