What Is Quishing And How Does It Work? | Cantium
Skip to content
Cantium logo with the word 'Cantium' in white and a lime green circle surrounding it.

As cyber threats continue to evolve, cyber security threat researchers are reporting that a new security risk has appeared in the form of email-based ‘quishing’ attacks, also known as QR code phishing.

This deceptive technique involves manipulating individuals into scanning QR codes using their mobile phones, leading them to fraudulent websites where malware can be downloaded, or sensitive information solicited from them.

In this article, we delve into the workings of quishing attacks, how QR codes play a crucial role, and the various scenarios where these scams are prevalent.

What are QR Codes and Their Functionality?

Before we explore quishing, it’s important to understand what QR codes are and how they function. A QR code, short for quick response code, is a type of square barcode designed to be scanned by compatible mobile device cameras.

When scanned, QR codes commonly direct users to webpages, but they can also trigger actions such as initiating a phone call, sending a text message, or facilitating digital payments. Therefore, you could encounter QR code scams in emails, text messages, signage, direct mail, and even in person from criminals posing as government employees.

The COVID-19 pandemic inadvertently contributed to the surge in use of QR codes, and therefore, quishing attacks. As businesses sought contactless solutions, QR codes gained widespread adoption. For instance, restaurants began using QR codes to link customers to online menus instead of providing physical copies. Similarly, digital wallets relied on QR codes for secure and contactless payments. As society embraced QR codes in various aspects of daily life, cyber criminals saw an opportunity to exploit unsuspecting users through quishing.

Though many quishing attacks target individuals, organisations and their employees are also at risk. Email-based QR phishing campaigns are particularly concerning for businesses and cyber criminals may exploit this method to target business accounts, seeking to steal credentials or distribute malware throughout your IT network.

The Latest Quishing Threats Unveiled: How Cybercriminals Exploit QR Codes

Recent observations by cyber security threat researchers and analysts reveal a surge in email-based quishing activities, indicating a concerning trend. Most notably, a large-scale and dynamic QR code phishing campaign that poses significant risks to both individuals and enterprises.

Cyber researchers first caught wind of a sophisticated QR code phishing campaign that centres around a Word document attached to suspicious emails. The campaign involves luring recipients with promises of a government-funded subsidy from the Chinese Ministry of Finance. However, the document has been created by malicious actors.

Upon opening the Word document, victims are presented with Chinese text and a QR code. The email instructs them to scan the QR code using their mobile devices, supposedly to access an application form for claiming the promised subsidy.

The QR code is a way to force a user to move from a desktop or laptop to a mobile device, which might have weaker anti-phishing protections. And in reality, the QR code leads unsuspecting users to a fraudulent website designed to extract their sensitive personal and financial information.

This quishing campaign exhibits remarkable adaptability with its numerous ‘lures’ and email domains, indicating its longevity and large-scale impact. One such variation involved emails perceived to be from a parcel delivery service, with notifications asking users to make payments via QR codes.

While the primary focus of this campaign seems to be on individual victims, the implications for enterprises cannot be ignored. Cyber criminals can exploit the use of QR codes to bypass email security gateways, which often scan for URLs instead of barcodes. Which means that they could target business accounts to steal valuable login credentials.

However, the threat posed by QR code phishing extends beyond soliciting financial information. They can also be used to distribute mobile malware and steal information from users’ mobile devices.

Another common scam with a recent surge in victims involves sticking fraudulent QR codes on parking meters to trick drivers into sharing financial credentials when they try to pay for parking.

How to Prevent Quishing Attacks: Tips for Safeguarding Against QR Code Phishing

With the increasing sophistication of cyber threats, individuals and organisations must take proactive measures to safeguard themselves. Implementing strong anti-phishing protections and exercising caution while scanning QR codes from unknown sources are crucial steps to mitigate the risks posed by quishing attacks.

  1)   Educate Your Users

The first line of defence against quishing attacks is a well-informed user base. Organisations should prioritise security awareness training that educates employees and individuals about the risks posed by QR code phishing and how to recognise potential threats.

  2)   Exercise Caution with QR Codes

To minimise the risk of falling victim to quishing attacks, we must all be cautious when scanning QR codes. Follow these best practices:

  • Never scan a QR code from an unfamiliar or untrusted source. Only scan codes from reputable and recognised entities.
  • If you receive a QR code via email from a trusted source, verify its authenticity through a separate medium, such as a text message or voice call.

  3)   Recognise Phishing Indicators

Stay alert for the classic signs of phishing campaigns. Be cautious if you encounter emails with a sense of urgency or that evoke strong emotions, such as sympathy or fear, as they might be attempts to manipulate you.

  4)   Scrutinise QR Code URLs

Before opening a QR code, thoroughly review the preview of its URL to ensure legitimacy. Consider the following:

  • Verify that the website URL begins with “HTTPS” instead of “HTTP,” indicating a secure connection.
  • Watch out for obvious misspellings or unusual characters in the URL, as they may indicate a fraudulent site.
  • Ensure that the domain belongs to a reputable and trusted entity, and is the one that you intended to visit when scanning the code.
  • Do not click on unfamiliar or shortened links, as they might lead to malicious websites.

  5)   Guard Your Personal Information

Be cautious when a QR code directs you to a site that requests personal information, login credentials, or payment details. Legitimate entities typically do not require such data through QR codes.

  6)   Implement Strong Password Hygiene

Protect your email account by practising good password hygiene. Change your email password frequently and avoid using the same password for multiple accounts. This reduces the risk of unauthorised access to your sensitive information.

Preventing QR code phishing requires a collective effort to ensure that our digital interactions remain safe and protected. You should also educate your friends and family that might not know that this is a thing and might be a problem going forward.

Please share our advice with them and remember that you should protect yourself in your work and home life.