“Quishing” – The Emerging Threat of Fake QR Codes

QR codes have revolutionized digital interactions, offering quick access to websites and services and adding a layer of security to many apps. These quick and seemingly innocent codes are everywhere — however, their widespread use has made them a prime target for scammers. The corruption QR codes leaves everyone vulnerable. However, there are simple methods to protect against this threat.

What Is “Quishing”?

In quishing attacks, scammers use fake QR codes to redirect people to fraudulent websites when the code is scanned. This enables the criminal to download information and profiles from the unsuspecting victim. The codes can also initiate malware downloads and steal login credentials or financial information.

Most people are familiar with the advice of not clicking on unfamiliar links or logging into suspicious websites. However, the QR code still embodies a sense of trust along with the idea that the code is incorruptible. Because these scannables are part of daily life for many — especially after the pandemic’s coded and contactless exchanges — they aren’t scrutinized as closely, creating an ideal vector for an attack.

Common Quishing Techniques

Several “quishing” techniques have been noted by cybersecurity researchers:

1. QR as email attachments: Criminals embed fake QR codes in emails, attachments, invoices, and other documents. The aim is to trick the recipient into believing that scanning the QR code provides essential business information, but instead, it creates a link that captures personal information.
2. Fraudulent QR code prints: QR codes enable people to order tickets at movie theaters and access restaurants’ menus, to name some of their uses. Scammers replace these with their version, which seems perfectly harmless.
3. Social pressure: During festive seasons, shoppers seek the best discounts, and a QR code may be promoted as part of a last-minute deal. This can be used as a social engineering scheme, convincing them to trust links and codes.

Dangers of Quishing

Quishing can bypass traditional security measures since most antivirus software can’t read QR codes, hiding the malware from their scans. Falling victim to these scams can result in serious repercussions:

• Financial loss: Scanning a QR code can redirect a person to a fake payment page, which instantly transfers money to the scammer’s account via an untraceable transaction. Businesses that rely on scannable codes to process payments are especially vulnerable to this type of fraud.
• Data breaches: The biggest motivation for using quishing is to acquire financial and personal information. By entering credentials after scanning, the scammer can use this information to make other purchases, log into accounts and transfer money.
• Malware downloads: Whether a person is directly or professionally compromised, a fake QR code can trigger a download of malware or ransomware like the FluBot attack that targets phones, which gives scammers access to corporate systems and sensitive data. When this information is compromised, it can have severe financial and legal repercussions.

Quishing 2.0 — What’s Next?

Scammers are innovative, and their latest version of quishing — quishing 2.0 — uses multiple layers to bypass security, combining fake sites and legitimate services. Several legitimate-seeming methods are included in quishing 2.0, each leveraging trusted systems to hide malicious intent:

• Email impersonation: Simply looking for trusted logos is insufficient protection. For example, an email that seems to come from a legitimate source, such as a bank. However, a closer examination of the domain will reveal that it is spoofed. These emails contain a false QR code, insisting that the recipient scan it to verify identity.
• Layered redirects: Knowing users are wary, the link may direct a person to legitimate services such as Me-QR — a reliable QR-scanning service. Using legitimate services and platforms like Sharepoint adds a layer of authenticity, making the scam more believable.
• The final step: The last redirect sends a person from legitimate sites to a fake login page or a phishing site, where scammers steal credentials.

Defending Against Quishing

How can you protect your business and staff from quishing? The first step is to stay informed. Other ways to defend against these malicious scammers include the following.

Staff Training

Regularly train employees to recognize suspicious QR codes and know what the risks are in scanning these. Include information about how to verify whether a code is legitimate, and how to identify the source of the code.

Multi-Factor Authentication (MFA)

Ensuring that your MFA is up-to-date and secure is still the best way to add a critical security layer to your information. Even if scammers get some of it, they won’t have access to critical accounts or data without the final layers of protection.

Advanced Email Security Systems

While legacy anti-malware may not detect malicious QR codes, advanced email security solutions can verify URLs and embedded QR codes using dynamic URL analysis and advanced detection methods. They also use computer vision to protect against phishing elements, which helps block multi-layer attacks like quishing 2.0.

Bolstered Physical Security

Check the authenticity of QR codes in kiosks and cafeterias. Avoid scanning a QR code in a public space if you cannot guarantee its safety.

Protect Your Organization From Quishing

The best practices for protection include:

• Verify authenticity by visually inspecting the URL associated with a QR code before scanning it.
• Avoid QR transactions and use manual logins instead.
• Report suspicious activity or phishing attempts immediately.

Keeping Your Company Quishing-Safe

Quishing is the latest frontier of phishing attacks, using the trust and convenience of QR codes. By staying at the forefront of cybersecurity, you can keep your detection methods current and your staff informed while fostering a culture of awareness and alertness. 

About the Author

Dylan Berger has several years of experience writing about cybercrime, cybersecurity, and similar topics. He’s passionate about fraud prevention and cybersecurity’s relationship with the supply chain. He’s a prolific blogger and regularly contributes to other tech, cybersecurity, and supply chain blogs across the web.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.