Quishing on the Rise- An In-depth Look into QR Code Phishing

Phishing has evolved over the years, adopting numerous forms and approaches to deceive users into exposing sensitive information or downloading malicious software. I've witnessed a recent ongoing trend targeting various geographical regions, the use of QR codes in phishing emails. This tactic, termed "Quishing" (or "QR-phishing"), enables cybercriminals to employ QR codes cleverly, tricking users into accessing malicious links.

Upon investigating this phenomenon, an interesting revelation emerged, emails embedded with QR codes often bypass email gateways without scrutiny. This suggests that the typical safeguards, which examine URLs or attachments in emails, are essentially blind to the threats presented by these QR codes. Feedback from one of the top email gateway vendors has highlighted this security gap. They revealed that QR codes aren't usually analysed for content, meaning there's no current mechanism to classify the URLs within these codes regarding potential threats or identify them as Quishing.

In a typical "Quishing" scenario, users scan the QR code using a secondary device, most often a personal mobile phone. By prompting users to scan the QR code with a different device than the one where they received the email, cybercriminals ingeniously circumvent highly secure corporate systems. In many such instances, users utilise their personal mobiles to scan the code, consequently landing on malicious websites.

Numerous users perceive their personal devices as low-risk, often not securing them as thoroughly as they would a work-issued device. This perception renders personal devices an attractive, and frequently simpler, target for cybercriminals intending to trick users into accessing malicious links.

Prevention Measures:

• Scrutinize the Source: Before scanning any QR code received via email, SMS, or other digital channels, users should ascertain the sender's authenticity. Cybercriminals frequently masquerade as trusted organizations or acquaintances.
• Use QR Code Previewers: Several apps and tools enable users to preview the URL embedded within a QR code prior to accessing it. Utilizing these tools ensures users aren't inadvertently redirected to malevolent sites.
• Update and Secure Devices: Regular updates for both personal and corporate devices are paramount. Security patches can safeguard devices from known vulnerabilities that cybercriminals may exploit.
• Educate and Train: Organizations should consistently conduct cybersecurity training, emphasizing the potential risks tied to QR codes. Real-world examples and simulated phishing tests empower employees to identify and counteract threats.
• Avoid Scanning Unknown QR Codes: As a rule of thumb, users should steer clear of scanning QR codes from dubious sources, which includes random posters, leaflets, or unsolicited emails.
• Report Suspicious QR Codes: Should a user encounter a questionable QR code, especially within a corporate setting, it's imperative to notify their IT or security department. Such feedback mechanisms aid organizations in preempting emerging threats.
• Read QR code for Malicious Links: There are online QR code reader services that extract the URL or content from QR codes and assess its reputation though automation workflows.