There’s been a “precipitous rise” in QR code phishing  campaigns in 2023, according to Matthew Tyson at CSO.  These attacks, dubbed quishing attacks, seek to bypass current security layers by moving attacks to unprotected mobile devices. It’s important that your cybersecurity program address quishing to better protect your organization.

What are Quishing Attacks?

QR code-based phishing attacks involve the use of QR codes to deceive individuals into visiting malicious websites or executing malicious actions. Here’s how such an attack might be carried out:

1. Creation of Malicious QR Code: The attacker generates a QR code that, at first glance, appears harmless or even legitimate. This QR code may be printed on a physical object, embedded in an email, placed inside a document, or shared through various means.
2. Distribution: The attacker distributes the QR code through channels that the target audience is likely to encounter. This could include attaching it to a physical object, sharing it on social media, sending it via email, or placing it on posters or flyers.
3. Social Engineering: To entice users to scan the QR code, the attacker may use social engineering tactics. For example, they might claim that scanning the code will provide access to exclusive content, discounts, or promotions.
4. Redirect to Malicious Website: Once the user scans the QR code, it redirects them to a malicious website that is designed to mimic a legitimate site. This could be a phishing site where the user is prompted to enter sensitive information such as login credentials, credit card details, or other personal information.
5. Exploitation: The malicious website may exploit vulnerabilities in the user’s device or web browser, or it may use other techniques to compromise the user’s security. This could include downloading malware onto the device.
6. Information Theft or Further Attacks: The ultimate goal of the attack is to steal sensitive information or carry out additional malicious activities. This could include identity theft, financial fraud, or unauthorized access to accounts.

“For the attacker, QR codes bring a number of benefits, including some appreciated by legitimate businesses: they are easy to create and easy to use,” Tyson writes. “It is easy for attackers to use free resources to generate convincing QR code enabled phishing emails, attachments, and websites — a mechanism that can increase the effectiveness of their efforts with minimum effort.”

Why are Quishing Attacks Difficult to Defend Against?

Olesia Klevchuk, director of email protection at Barracuda Networks, told CSO that QR codes are more difficult for security defenses to detect.

“URL scanning and URL rewrite technologies are ineffective against QR code attacks because there is simply no link to scan,” Klevchuk said. “Because users have to scan QR codes with their phones, it basically moves these attacks to an entirely new device that is often outside of the company’s security.”

How can I Train my Staff to Deal with Quishing?

Tyson says organizations should implement the following layers of defense to help thwart QR code phishing attacks:

• “Education: Ensure users are aware of the quishing trend and emphasize that QR codes are not an indication of legitimacy.”
• “Prevention: Automated systems that filter emails and URLs should be examined and hardened against QR codes. Existing use of QR codes by the enterprise should be examined to make it as hard as possible for attackers to hijack them.”
• “Response: Detection and lockout mechanisms should be in place to protect against account compromise.”
• “Validation: Incorporate QR code attacks red teaming tests and attack simulations.”

Tyson adds, “As technology-oriented professionals, we work towards a technology-oriented solution, but education and awareness play their part. We’ve gotten used to harping on the distrust of emails and confirming through a second channel anything significant. QR code attacks adds an important element: QR codes are not any kind of indication of legitimacy.”

Help your Staff Identify and Avoid Quishing.

Cyberthreats are constantly evolving.  As such, your best line of defense will always be to educate your organization to identify and avoid threats.  Cybersecurity Awareness Training combines educational videos and simulated attacks with individual and organization-wide security assessments.  These types of formal programs help to teach your staff how to spot and avoid suspicious activities, empowering them with the knowledge necessary to make smart decisions about the threats out there today, and emerging threats of tomorrow.  We’ve often seen clients seeking insurance policies that provide cyber-coverage negotiate discounts based on formal cybersecurity awareness programs implemented in the workforce.

Inacom uses the KnowBe4 platform to strengthen the security culture of our clients and reduce human risk.  To learn more, give us a call at 410.543.8200 today.

To learn more, visit CSO for the full story.