Quishing: What is QR Code Phishing and is it a threat?

QR code phishing, also known as "quishing," is a relatively new type of phishing that takes advantage of the widespread use and convenience of QR codes for malicious purposes. These attacks rely on cybercriminals creating deceptive QR codes that appear legitimate but lead to phishing websites or prompt the user to download malware onto their device. These malicious QR codes can be found in various formats, such as on posters, flyers, or even on websites.

Why do cybercriminals use QR codes in phishing attacks?

QR code phishing aims to deceive users into divulging sensitive information like login credentials, credit card details, or personal data. Once cybercriminals acquire this information, they can exploit it for identity theft, financial fraud, or other malicious activities.

Being aware of QR code phishing is crucial as it has increasingly become prevalent in recent years. With the surge in mobile device usage and the widespread adoption of QR codes for various purposes, cybercriminals have discovered new ways to exploit this technology to their advantage.

Example of a QR phishing attack

Below is an email example where an attacker is urgently advising a victim to scan a QR code to preserve access to their account. Failure to do so will mean that their corporate email account passwords will soon 'expire'.

After scanning the code, the user is redirected to a fake login page styled as a Microsoft sign-in, where the victim is encouraged to submit their account credentials.

The rise of QR code phishing

QR codes have become increasingly popular across various industries, especially in industries such as hospitality, where they're used for menus, ordering and more. However, this rise in QR code usage has also brought about a concerning increase in phishing attempts.

Recent reports indicate a significant surge in QR code phishing attacks. Cybercriminals are constantly refining their techniques to create more convincing and malicious QR codes. These attacks pose a serious threat to both individuals and businesses, jeopardizing the security of personal and sensitive information.

It is crucial for individuals and organizations to be aware of these risks and take necessary precautions to protect themselves from falling victim to QR code phishing attacks. Stay vigilant and ensure that you are only scanning QR codes from trusted sources to safeguard your data and privacy.

A 51% increase in QR phishing attacks

According to a recent study by ReliaQuest, there has been a significant increase of 51% in phishing attacks using QR codes in September 2023, compared to the period of January through August 2023. This highlights the growing threat of quishing attacks and the need for heightened security measures to protect against them. The findings from this study serve as a reminder for individuals and organizations to stay vigilant and take necessary precautions to safeguard their information and digital assets.

Some key findings from the study are as follows:

• The most common scenario for QR phishing involved Microsoft 2FA resets or enablement, which accounted for over 50% of the QR phishing emails in this dataset. Victims were instructed to enter their Microsoft email addresses and passwords.
• QR attacks on online banking pages made up 18% of all attacks, making it the second most popular method used by cybercriminals. Victims were prompted to enter their banking credentials on the page.

As the prevalence of QR code phishing continues to rise, businesses must understand the associated risks and take proactive measures to safeguard themselves and their customers.

Common QR phishing techniques

Cybercriminals employ various techniques to carry out QR code phishing attacks. Some common methods include:

• Fake websites – Cybercriminals create deceptive websites that closely resemble legitimate ones, tricking users into entering sensitive information.
• Malware distribution – Malicious QR codes can be used to distribute malware onto the user's device, giving cybercriminals unauthorized access or control over the device.
• Social engineering – Cybercriminals may use social engineering techniques to manipulate users into scanning malicious QR codes, often by offering enticing rewards or discounts.
• URL redirection – QR codes can be designed to redirect users to phishing websites or malicious content, prompting them to enter their information.

Understanding these common techniques allows businesses to better educate their employees and customers about the risks associated with QR code phishing. It also helps them identify and avoid potential threats.

Education is the key to preventing Quishing-related data breaches

With Enabl's human risk management solution, IT leaders and managed service providers can empower end-users with the knowledge and vigilance to prevent data breaches.

With just a few simple steps, Enabl's simulated phishing tool empowers you to deploy both pre-made and customized QR phishing campaigns. These campaigns provide invaluable insights into your users' vulnerability to such attacks.

Get in touch with our team for a demo of our phishing simulation tool.