QR Code Phishing (Quishing)

What is a QR Code Phishing?

QR code phishing, also known as quishing, is a type of cyberattack that involves tricking someone into scanning a malicious QR code.

Advertisements

A QR code is a square-shaped, two-dimensional barcode image. It consists of black squares arranged on a white background in a grid pattern.

Each QR code contains a unique pattern that encodes information. When someone points their smartphone or tablet camera at the grid pattern, their mobile device will automatically scan the QR code and display the information.

The widespread use of QR codes for two-factor authentication (2FA) and mobile point of sale transactions after COVID-19 has led many people to think that QR codes are inherently safe.

Cybercriminals have observed this change in user behavior and are exploiting it to conduct phishing attacks that distribute malware, steal login credentials, execute financial fraud, and facilitate other types of cybercrimes.

Phishing and Email

Phishing exploits are most often conducted through email because the delivery method is convenient, inexpensive, and facilitates mass distribution. Essentially, the malicious actor creates a bogus email that appears to be legitimate and sends it out in bulk, hoping to catch a victim.

Phishers know that statistically, a certain percentage of the email’s recipients are likely to open it, and a certain percentage of those people will assume the email is legitimate and complete the email’s call to action.

Typically, this involves having the victim click on a malicious link that will download malware or send them to a bogus web page that has another call to action.

Over the last ten years, users have become more aware of phishing tactics, and artificial intelligence (AI) has helped email filters get better at blocking emails that have suspicious links.

Consequently, some security administrators hoped that with enough cybersecurity awareness training, phishing could be managed.

And then along came COVID-19.

QR Codes and COVID-19

QR codes, with their quick and contactless nature, provided people with a convenient way to access information and engage with point of sale (POS) services during COVID lockdowns.

Unfortunately, this convenience also attracted phishers. It wasn’t long before bad actors figured out that people’s increasing comfort with QR codes could be exploited.

Almost as soon as QR codes became a common way to view a menu or pay for lunch, spear phishers, whalers, and other phishers began to use the technology to ensure their carefully crafted phishing emails made it through email filters and actually got delivered.

Most email security systems focus on analyzing text-based content in emails to detect phishing attempts. Interpreting images like QR codes is a more complex process that requires image recognition technology and optical character recognition (OCR).

As long as the attacker hid their malicious link in a QR code image, the odds increased that their phishing email would reach the intended targets. And thanks to COVID, the odds increased that the targets would scan the email’s QR code and follow the code’s malicious URL.

How QR Code Email Phishing Works

QR code email phishing works the same way as regular email phishing, except the attacker, turns their malicious link into a QR code image that can be pasted in a phishing email or sent as an email attachment.

The process of converting a link into a QR code requires no special technical skills and literally costs nothing. Anyone who has internet access can query “free QR generator” and create a QR code in seconds.

QR Code Phishing Examples

QR code phishing is effective because it exploits the convenience of QR codes and the trust people have in them.

In May 2023, the email security firm Cofense observed a robust QR code phishing campaign that targeted Microsoft users in a wide array of industries. Essentially, the victims received an official-looking email that told them their password was about to expire. They were then instructed to scan a bogus QR code to change their password.

In August 2023, the United States Federal Trade Commission (FTC) warned citizens about a QRjacking scam involving QR codes on parking meters. In this case, the scammers were covering up legitimate QR codes with stickers that displayed malicious QR codes. The FTC advised consumers to be cautious when paying for parking using QR codes and to look for signs of tampering on the meter before scanning any codes. They also suggested using alternative payment methods if possible.

In September 2023, the United States Federal Bureau of Investigation (FBI) warned citizens about the dangers of quishing and shared that they had been receiving reports about QR phishing since 2022.

QR Code Phishing Prevention

Until very recently, most email filters were unable to scan images. That is beginning to change with the integration of advanced machine learning (ML) and artificial intelligence technologies in email security systems.

Some systems can now detect suspicious or harmful content within images. However, it’s important to note that the sophistication and capabilities of such systems can vary widely, and many email filters do not have any image-scanning capabilities.

In today’s cyber environment, it’s really up to people to be vigilant and cautious whenever they encounter a QR code.

  • If you believe a QR code in an email or text is from someone you know, reach out to them through a known phone number or email address to verify that the code is from them.
  • If the QR code is from a company, locate the company’s phone number through a trusted site rather than a number provided in the email.
  • Most mobile device cameras provide a preview of the code’s destination URL. If the link looks suspicious, unfamiliar, or unrelated to the expected content, it’s safer not to proceed. If it looks like a URL you recognize, make sure it’s not spoofed — look for misspellings or a switched letter.
  • If the QR code is on a physical medium (like a poster or flyer), look for signs of tampering. If it appears that one sticker has been placed on top of another sticker, don’t scan the code.

And, of course, the best advice is to stay informed about the latest social engineering and phishing techniques – and share this knowledge with friends and family, especially those who might be less tech-savvy.

Advertisements

Related Terms

Margaret Rouse

Margaret Rouse is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical, business audience. Over the past twenty years her explanations have appeared on TechTarget websites and she's been cited as an authority in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine and Discovery Magazine.Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages. If you have a suggestion for a new definition or how to improve a technical explanation, please email Margaret or contact her…