QR Code + Phishing = Quishing
What you need to know about Quishing
Thanks to Covid we saw a rise of digital transformation, businesses and individuals alike have embraced QR(Quick Response) codes for their convenience and versatility. From restaurants to advertising campaigns, QR codes offer a quick and easy way to access websites, download apps, or even make payments. However, this widespread use has also given rise to a new cybersecurity threat known as “quishing”, a blend of “QR code” and “phishing.”
What is Quishing?
Quishing is a type of phishing attack where cybercriminals use QR codes to deceive users into scanning them, leading them to malicious websites or tricking them into revealing sensitive information. Unlike traditional phishing, which relies on fake emails or websites, quishing exploits the trust people have in QR codes. Since users cannot see the underlying URL before scanning, it becomes easier for attackers to hide malicious links.
How Quishing Works
1. Creation of a Malicious QR Code: Attackers create a QR code that redirects users to a malicious website. This could be a fake login page, a site containing malware, or a form that asks for sensitive information such as usernames, passwords, or payment details.
2. Distribution: These QR codes can be distributed in various ways:
— Emails and Text Messages: Attackers can send emails or SMS messages that appear legitimate, encouraging recipients to scan a QR code to view an invoice, confirm account details, or track a package.
— Physical Locations: Cybercriminals can place fake QR codes over legitimate ones in public spaces like posters, restaurant tables, or ATMs. Unsuspecting users who scan these codes are redirected to malicious sites without realising.
— Social Media and Ads: QR codes are also shared on social media platforms or through digital ads, often enticing users with attractive offers or discounts.
3. Execution: Once the QR code is scanned, users are redirected to a malicious URL. Depending on the attack’s objective, users might unknowingly download malware, reveal their credentials, or give away sensitive information.
Real-World Examples of Quishing
Several instances of quishing have been reported, highlighting its growing threat:
— Parking Meters Scam: Attackers placed fake QR codes on parking meters, redirecting users to a fraudulent payment site. Users who scanned the codes and entered their payment details inadvertently sent their money and information to scammers. Read more here.
— Package Delivery Scam: Apparently someone sends you a package you didn’t order and on opening it, you’re asked to scan a QR code to reveal who the package is from. I honestly found this particular one a bit worrisome as in this video here the person mentioned the package was sent to her house. That could either mean the sender knows her or her details must have been leaked somewhere somehow.
How to Protect Against Quishing
1. Verify Before Scanning: Always check the source of the QR code. If it’s on a physical poster, sticker, or sign, verify its legitimacy before scanning. Be cautious of QR codes that look tampered with or misplaced.
2. Avoid Scanning Codes from Untrusted Sources: Do not scan QR codes sent in unsolicited emails, texts, or social media messages, especially if the sender is unknown. If you receive a QR code from a business or individual, verify its authenticity by contacting them directly. Don’t just go about scanning random QR codes just because you can, it might just be a trap!
3. Use QR Code Scanner Apps with Security Features: Consider using QR code scanner apps that display the URL before redirecting you to the site. This allows you to verify the link and avoid malicious sites.
4. Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring more than just a password to access your accounts. Even if your login details are compromised, MFA can prevent unauthorized access.
5. Educate Employees and Users: Businesses should train employees and customers to recognize potential quishing attempts. Awareness is the first line of defense against these types of attacks.
6. Use Security Software: Ensure that your devices have up-to-date security software that can detect and block malicious websites or malware that might be deployed through a quishing attack.
The Future of Quishing
As QR codes become more integrated into everyday transactions, the risk of quishing is likely to grow. Cybercriminals are constantly looking for new ways to exploit digital tools, and as long as QR codes remain popular, they will continue to be a target. It is crucial for businesses and individuals to remain vigilant, understand the risks, and adopt security practices that minimize exposure to these types of threats.
Quishing is an emerging threat that exploits the convenience of QR codes. By understanding how it works and taking the necessary precautions, users can enjoy the benefits of QR codes without falling victim to phishing attacks. As technology continues to evolve, staying informed and proactive will be key to maintaining security.
Until next time, find me where the good guys are!