Jan 05 2024

What Is Quishing, and How Can You Defend Against It?

Organizations are becoming increasingly susceptible to QR code scams, aka QR code phishing. Here’s why these attacks are on the rise and how to protect yourself from them.

There was a distinct moment during the COVID-19 pandemic when QR codes exploded. They were wedged between couples at restaurants, plastered on checkout counters and store shelves, and rolled out at hotels, office building check-in points and airports. QR codes were game changers because they enabled people to get information in a contactless way.

The sleek square codes offered users a safe, fast and frictionless experience, providing a gateway from the physical to the digital. By reducing the gap between humans and machines, a goal since the computer revolution, QR codes hold unique power.

Fast-forward a few years, and now their mass adoption has also made them targets of QR code phishing scams, also known as quishing. According to a recent study from ReliaQuest, there was a 51 percent increase in QR code phishing in September 2023 compared with January through August of that year, and the trend has only continued.

In these scams, users will scan a fraudulent barcode and be brought to a web page that may steal, scrub or ask for their personal information. Seemingly innocuous, the QR code is a cybercriminal’s ideal bait to trap victims. To defend against quishing, businesses can routinely update their passwords, install anti-malware software and use threat intelligence services. It’s also critical to educate teams on trusted sources and how to spot a fake QR code.

DISCOVER: The cybersecurity solutions and services that can help your business.

What Is the History of the QR Code?

QR codes date back to 1994 and were invented by the Japanese company Denso Wave. QR stands for “quick response” — the codes were created with a focus on high-speed reading and the ability to store a large amount of information. The codes were initially used by the auto industry for electronic kanban and later adopted by food, pharmaceutical and contact lens companies, among others, to control their merchandise and improve production efficiency.

One crucial factor that contributed to the widespread use of QR codes was Denso Wave’s decision to make the specifications of the QR code publicly available without exercising patent rights, so the technology could be used by as many people as possible.

By the early 2000s, “marketers latched onto QRs as a way to easily send people to landing pages and specific web content,” writes Ira Gostin, partner at G8 Consulting, in Forbes. Soon after, they faded into obscurity, only to be revived again in 2020 during the pandemic. QR codes have since held their popularity and are now used in retail, marketing, logistics and digital payments.

READ MORE: Smishing vs. Phishing vs. Vishing: What’s the Difference?

How Does a Quishing Attack Work?

In a quishing attack, cybercriminals use QR codes to deceive people into visiting malicious websites or downloading rogue applications. To do this, hackers create a fake QR code that mimics a legitimate one.

Users are then redirected to a malicious website or prompted to download a rogue application, believing it’s from a trusted source. Then they are prompted to fill out personal information such as credit card details or login credentials.

According to Matthew Tyson in CSO, the “precipitous rise” in QR code phishing campaigns in 2023 happened in part because they are simple to use — and hack. “It is easy for attackers to use free resources to generate convincing QR code enabled phishing emails, attachments, and websites — a mechanism that can increase the effectiveness of their efforts with minimum effort,” he writes.

Quishing is a serious concern because users cannot easily differentiate between genuine and malicious QR codes. The codes can also bypass security systems because they read as a single image with no suspicious text.

Whether it’s stealing private information or using the web page to load malware onto a device, users should watch out for QR code email scams, payment scams, package scams, donation scams and investment scams.

LEARN MORE: Set up stronger multifactor authentication at your organization.

How Can You Detect a Quishing Attack?

The Federal Trade Commission issued a recent warning that scammers are hiding harmful information in QR codes, and though some are in plain sight, others are almost impossible to spot. So, detecting a QR phishing scam requires keen observation.  

Here are some tips and techniques to stay alert:

Scrutinize the QR code itself. Watch for unusual designs, pixilation or errors in the code structure. This can include letters or symbols written in tiny font between the square barcodes.

Verify the source. Legitimate businesses usually embed QR codes on their official websites or materials, not in unsolicited emails or messages.

RELATED: Read up on the practical advantages of password managers.

Assess the degree of urgency and emotional tone. A sudden or unprompted request for personal information is most likely a sign of a quishing attack. These scams also tap into emotion to elicit a fast response, so consider whether the message expresses a sense of fear, curiosity or greed

Always check the URL before scanning. If it appears random or doesn’t match the supposed sender, it could be fraudulent. Typically, users can see a preview of the link before clicking as their cameras scan over the code.

Be cautious of QR codes asking for sensitive info or prompting auto-downloads. Genuine codes generally direct to a website for information rather than requesting personal data up front.

Examine the permissions requested by the linked site after scanning. A reputable site won’t ask for unnecessary access.

Click the banner below to unlock exclusive security content on BizTech.com.

How Can You Protect Your Organization from Quishing?

The best way to stay protected against quishing attacks is to think before you click (or scan).

Users should also trust their gut. If something feels off or too good to be true, trust your instincts and proceed cautiously.

The federal Cybersecurity and Infrastructure Security Agency and the National Security Agency also recommend these strategies to enhance your organization’s resilience against quishing attacks:

Conduct regular employee training to educate staff on how to recognize and avoid phishing attacks, highlighting the importance of not clicking on suspicious links or downloading attachments from unknown sources. This includes discussing prevention methods and cybercriminals’ latest tactics.

Deploy a spam filter to keep emails from suspicious sources from reaching employees’ inboxes.

Keep all systems updated with the latest security patches, deploy an anti-virus solution and monitor its status on all equipment.

UP NEXT: How to detect and prevent a “man in the middle” attack.

Deploy a web filter to block malicious websites, and implement phishing-resistant multifactor authentication for further protection.

Develop a security policy that includes good password hygiene.

It only takes one successful phishing attack to compromise your network and steal your data, so it’s crucial that organizations stay vigilant, follow these steps and educate themselves on the risks.

Koonsiri Boonnak/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.