Beware the humble QR Code: Protecting Your Business from Quishing Attacks

In an age where convenience and efficiency are paramount, QR codes have become ubiquitous. They are used for everything from accessing restaurant menus to making payments. However, this convenience comes with a hidden danger: QR code phishing, also known as "quishing." 

The Rising Threat of QR Code Phishing  

Phishing remains the number one attack vector for malicious actors, focusing significantly on compromised supply chain email accounts and account takeovers (ATO). Over half of cyber security leaders are stressed about attacks originating from these compromised accounts. QR code phishing — or “quishing” — is a modern twist on this classic threat. Quishing attacks manipulate users into revealing personal and financial information or downloading malware hidden behind malicious QR codes. These attacks can bypass traditional security email gateways and target users' less secure mobile devices. 

How Quishing Works 

A typical quishing attack begins with a phishing email containing a malicious QR code embedded in a PDF or image file or a physical malicious QR code in the real world. A phishing email-based QR code can evade email security filters, allowing the email to reach the user’s inbox without being flagged. Once scanned, the QR code can direct users to a phishing site designed to steal sensitive information or infect their devices with malware. 

The Impact of Generative AI 

Generative AI is exacerbating phishing threats, enabling attackers to develop more sophisticated phishing emails and malware. Sixty-three percent of cyber security leaders are concerned about deepfakes, and 61% worry about AI chatbots being used to create phishing campaigns​. This advancement increases the complexity and frequency of threats like QR code phishing, making it even more critical for businesses to stay vigilant. 

Real-World Impact 

The consequences of falling victim to a quishing attack can be severe. Cybercriminals can gain access to confidential information, such as payment details, which can be used for fraudulent purposes. This can damage an organisation’s reputation, cause financial losses, and disrupt operations. According to the Egress report, 96% of organisations experienced negative impacts from phishing attacks, including financial loss from customer churn and employee turnover. 

Recognising and Mitigating the Risk 

To protect your organisation from quishing attacks, being vigilant and proactive is essential. Here are some common signs of malicious QR codes and steps to mitigate the risk: 

1. Unusual Sources: Just as you wouldn’t trust an email from an unusual source, be cautious of QR codes from sources you aren’t 100% sure of. This could include flyers or unsolicited emails. 
   
2. TGTBT (Too Good To Be True): Scammers often promise amazing discounts or prizes to lure people in. If it sounds too good to be true, it probably is. 
3. Complex URLs: Look at the URL the QR code points to. Genuine codes will usually lead to simple URLs (e.g., yoursite.com/qr-code). If the URL is excessively long or contains strange characters, proceed with extreme caution. 
4. Misspelling: Serious companies pay attention to details. You wouldn’t trust an email with poor grammar or misspelt words, so treat QR codes the same way. 
5. Stickers: Flyers with QR codes that have had new codes stuck on are a massive red flag. Scammers will often try to ‘high-jack’ legitimate QR codes. Legitimate companies will invest in dynamic QR codes, meaning they can redirect the QR code to another page if necessary, rather than having to print a sticker to cover an old QR code.  
6. Asking too much? Be wary of QR codes that ask for payment information or excessive personal information or permissions (e.g., access to your camera, microphone, contacts, or location). If you’re asked for payment info, make sure you’ve used a trusted URL to access the payment portal; type the URL manually rather than scan a QR code.

Enhancing Security Measures 

Organisations should take several steps to enhance their security posture against quishing attacks: 

• Employee Training: Educate employees about the risks associated with QR codes and how to recognise suspicious ones. Regular security awareness training can significantly reduce the risk of successful attacks. 

• Advanced Security Tools: Utilise advanced security tools that offer real-time protection capabilities. These tools can detect and neutralise phishing attacks, including those involving QR codes before they reach users' inboxes. For personalised recommendations on the best tools or services to meet the specific security needs of your business, reach out to our CyberForensics team for expert guidance.

• Centralised Management: Implement a centralised platform for managing security operations. This can help IT admins and SOC teams make contextualised decisions, tag suspicious emails, quarantine threats, and take remedial actions efficiently

Broadened Threat Landscape 

Email security risks have expanded beyond traditional email to include collaboration tools, underscoring the need for comprehensive security measures. Organisations must adapt to this broadened threat landscape by embracing integrated cloud email security solutions. 87% of organisations are moving towards these solutions to address the limitations of traditional secure email gateways. 

As QR code phishing becomes more prevalent, businesses must stay informed and prepared. By understanding the tactics used in quishing attacks and implementing robust security measures, organisations can protect their sensitive information and ensure against operational disruptions. Remember, vigilance and proactive measures are vital to staying ahead of cybercriminals in this ever-evolving threat landscape. 

For more information on protecting your business from cyber threats, visit Cyberlogic's website or email us at hello@cyberlogic.co.za.  

Source: 2024 Egress Report