What is Quishing - QR code Phishing?

Phishing takes many forms, and cybercriminals will find and use any opportunity to trick a person. The QR code is one of the latest technologies to be exploited for criminal gain. QR Codes are a widespread technology found everywhere, from restaurants to car parks to login pages. The popularity of the QR code is down to its convenience. This popularity is captured in a 2024 report on QR Code trends, which found a 47% increase in QR code usage each year. QR Codes are easy to use, with most Android and iOS smartphones offering in-built QR Code scanners. In the USA, around 80% of users trust QR code technology. It is this trust and convenience that scammers are exploiting.

Why are QR Codes Used for Phishing?

The COVID-19 pandemic promoted using QR codes as an ideal contactless way for customers to access information. The convenience, widespread use, trustworthiness, and popularity of QR codes made QR codes an attractive target for cybercriminals. QR Code phishing or “Quishing” is now an established form of behavior manipulation scammers use. Some recent examples of Quishing include the following:

Examples of QR Code Phishing

QR Code Voicemail Scams: QR code-enabled voicemail scams begin previously compromised legitimate employee account credentials. These login credentials are then used to gain unauthorized access to Microsoft Outlook accounts. The attackers use these legitimate accounts to send emails that purport to contain a voicemail from the account holder. The email states that to hear the voicemail, the recipient must scan a QR code contained in the email. If the employee scans the QR Code, they are taken to a spoof but realistic-looking Microsoft login page. The credentials will be stolen if the employee enters their credentials to listen to the supposed voicemail.

QR Code Banking Scams: Santander and other banks are aware of QR Code scammers that use spoof emails pretending to be from the bank. The emails ask customers to consent to a new data policy or review a security process by scanning a QR code in the email. Examining the code, the email customer is sent to a landing page that looks exactly like the bank’s login page.

QR Code Payment Scams: cashless parking is a part of the modern car park landscape. Often, to pay for parking, a driver will be offered a QR code to scan that will take them through a process to pay for parking. Scammers are exploiting the legitimate QR codes in many car parks, sticking fake QR codes over the top of these legitimate QR codes. When drivers scan the fake QR code, they are directed to a spoofed but legitimate-looking website, where they can enter financial card details to pay for parking. Once those details are entered, they are stolen by the fraudster.

The fact is that the QR Code is an ideal mechanism for fraud. Various tactics are evolving in this exploit, including using embedded image links in emails, which can load a QR code, and QR code images sent as attachments.

How Does Quishing Work?

Malicious QR Codes

The examples shown above, where spoof branded emails were used to carry QR codes, are examples of malicious QR code use. The email brand is cleverly replicated to trick employees into believing they are dealing with a legitimate company. In this type of QR code threat, attackers embed malicious QR codes in phishing emails as content or attachments. When victims scan the code using a personal mobile device, they are directed to a malicious website, where, ultimately, the execution of malware on the device occurs.

Spear Quishing

Targeted Quishing or Spear Quishing is where adversaries send spear-phishing emails with QR codes to targeted employees. The QR codes redirect the employee to spoof Microsoft Office 365 login pages. Unsuspecting users enter their login credentials, which are then stolen. These compromised credentials will then be used to access the corporate network, leading to various attacks, including ransomware infection, Business Email Compromise, and data breaches.
 

Why are QR Code Attacks So Dangerous?

The trustworthiness of QR codes means that individuals are more likely to interact with the code. This leads to employees feeling comfortable enough to use their mobile devices to scan the QR code. Cybercriminals understand that personal mobile devices are less secure and contain sensitive information. The hackers leverage this security flaw.

QR code attacks are also varied, making them more difficult for users to identify. Some companies are even using QR Codes to facilitate fast login. QR codes can take employees to spoof websites that steal credentials or even arrive embedded in malicious attachments that install malware.

What About the Cost of QR code Phishing to a SMB?

Small companies may feel safe from the specter of QR code phishing, but the statistics show they are not. Insurers Hiscox explored the issues of a cyberattack on small UK companies using their live attack system. The research shows that in the UK, small companies are being attacked around 65,000 times per day, many of the attacks in the form of phishing. On average, the basic clear-up costs of a successful attack cost a small UK business around £25,700 ($33,700) per attack. This does not include intangible costs such as damage to reputation and lost customers.

Even at the personal level, QR code scams are costing individuals thousands. A recent spate of car park QR code scams has cost drivers thousands. The scammers replace legitimate QR codes used to pay for parking with malicious QR codes that take drivers to fake websites to steal credit card information.

The popularity of the QR code use is captured in a 2024 report which found a 47% increase in QR code usage each year. It is this trust and convenience that scammers are exploiting.

How to Protect your Business & Users from Quishing Attacks

QR code phishing or Quishing should be integral to security awareness training. Educate employees about Quishing dangers as part of more general phishing training and include QR codes in simulated phishing exercises. Teach employees about the various aspects of QR code technology and its exploitation. Ensure employees understand:

• To be cautious of any QR codes embedded in emails with poor image quality or blurry.
• QR code scanners often preview the link, allowing users to see where they’ll be taken before scanning.
• Practice caution when scanning QR codes from unknown sources, unsolicited emails, or public places.
• To check the URL after scanning the QR code. If the URL looks suspicious, shortened, or different from what you expected, do not proceed.
• To swiftly report any Quishing attempt to the line manager, security team, or other company authority. This helps to mitigate incidents.

Education and mobile security are two layers of protection, but the third layer is to detect the QR code phishing threat before it enters the employee inbox.

Advanced Quishing Detection

PhishTitan augments Microsoft native security to kill Quishing. PhishTitan goes beyond the boundaries of an SEG to provide Integrated Cloud Email Security (ICES). An ICES is a cloud-based, integrated solution using advanced technologies for anti-phishing detection. These technologies include AI, machine learning, and natural language processing (NLP). Even sophisticated and multi-part phishing threats that use QR codes and out-of-band mobile elements can be detected using PhishTitan's advanced AI-powered technology. Important features that allow PhishTitan to kill QR code phishing include:

Real-time Detection

QR code phishing often deploys dynamic content generation. This clever tactic means a malicious payload can rapidly change to avoid detection. This is known as a zero-minute phishing threat. PhishTitan's advanced AI-enabled anti-phishing detection uses a vast training corpus to identify predictable patterns in QR code evasion.

Behavioral Analysis

Often, unusual behavioral patterns can pinpoint an attack that uses evasive techniques like QR code scams. Advanced anti-phishing solutions, like PhishTitan, provide behavioral analysis that identifies unusual user behavior as they interact with QR codes. ICES solutions use techniques such as NLP to detect suspicious behaviors and patterns and alert administrators of a potential phishing attack.

Time of Click Protection

QR codes often take users to malicious websites, and the URL associated with the QR code steals data or installs malware. PhishTitan automatically checks the website presented by the QR code for malicious activity. These checks are performed in real-time. If the URL points to a phishing site, the employee will be prevented from opening the site.

Education and mobile security are two layers of protection, but the third layer is to detect the QR code phishing threat before it enters the employee inbox. PhishTitan provides advanced phishing detection, including the detection of Quishing attempts. PhishTitan stops an employee from navigating to a malicious website that a QR code may initiate. Based on advanced AI-based algorithms to spot difficult-to-detect and complex phishing attacks, PhishTitan keeps ahead of the Quishing fraudsters.

Talk to TitanHQ's experts to understand how you can stop QR code phishing from costing your company thousands.