Tackling the Rising Quishing Threat

Quishing is a variation on traditional phishing attacks and has the aim of duping targets into downloading malware or enter their credentials/personal information.

Instead of sending emails containing malicious attachments or links, however, the message will embed a QR code, which, if scanned, will typically take victims to a website that appears to be a trusted service application. This page will entice the user to download a malicious file or enter their credentials.

Quishing attacks offer a number of advantages over traditional phishing messages for cybercriminals. These are:

• Quishing emails are more likely to bypass traditional security filters as there is no embedded link or malicious attachment to scan
• Employees are forced away from corporate machines to personal devices, such as a mobile phone, to scan the QR code. These devices won’t be protected by corporate security software
• Users are more likely to fall for QR code scams as they don’t contain the spelling and language errors that are commonly present in phishing messages
• Quishing attacks can take place in physical locations as well as digitally. For example, scammers have reportedly fixed fake QR codes on locations like tables in pubs and parking ticket machines to direct customers to malicious websites

Organizations and governments must ensure that the public are educated on the threat of quishing and how to avoid such attacks. This training should cover:

• Avoid scanning QR codes received through unsolicited messages or from unknown sources
• If a QR code is received from a trusted source, try and confirm its legitimacy via a separate medium, such as text message
• Check for the usual signs of social engineering in the email, such as a sense of urgency
• Don’t download unknown applications from QR codes, as they could contain malicious software
• Look out for extra characters or unfamiliar addresses in any URL scanned from the QR code
• Be cautious if a QR code takes you to a website that requests personal information, login credentials or payment details
• In a public place, look out for signs of tampering, such as a QR code pasted over an existing one, or design inconsistencies

Organizations should also seek to update their email scanning and filtering tools to those capable of detecting and blocking malicious messages containing QR codes.

This is a topic that end user organizations should be discussing with their email security vendors, to ensure there are mechanisms in place to detect such messages and prevent them reaching employees.

Email defenses have improved significantly in recent years, forcing attackers to shift away traditional phishing techniques.

As is often the case, however, attackers are evolving their tactics to overcome better security practices. One such approach is the rising use of quishing, which many email filtering tools are currently not set up to detect.

Organizations must now recognize this growing threat and take action to mitigate it, including demanding the cyber industry adapts its product offerings accordingly.