In the ever-evolving landscape of cyber threats, a particularly insidious tactic has emerged: quishing. Short for "QR code phishing," quishing exploits the widespread use of QR codes to deceive unsuspecting victims. This cyber attack leverages QR codes to lead users to malicious websites or trick them into revealing sensitive information. As QR codes become more prevalent in our daily lives, understanding the risks associated with quishing is crucial to staying safe online.

How Quishing Attacks Are Made

QR codes have become ubiquitous in our modern world, used for everything from accessing websites and making payments to accessing digital menus and event registration. Their convenience and ease of use have made them a popular choice for businesses and consumers alike. However, this widespread adoption has also made them an attractive target for cybercriminals looking to exploit unsuspecting users.

Quishing attacks have increased dramatically, with some security researchers reporting an increase of more than 400% in 2023 alone. These attacks can take several forms, including:

• Impersonation: Attackers create QR codes that resemble legitimate ones, often using trusted brand logos or disguising URLs to mimic reputable sites.

• Social Engineering: Cybercriminals craft messages that incite urgency, curiosity, or fear to encourage individuals to scan the QR code without questioning its legitimacy.

• Malware Delivery: Scanning a malicious QR code can lead to the download and installation of malware onto the victim's device, providing the attacker with unauthorized access and control.

• Data Harvesting: By directing victims to fake login pages, attackers can steal credentials and personal information for identity theft or further attacks.

Hackers employ various methods to execute quishing attacks, one of which involves placing deceptive QR codes on physical objects in public spaces. For example, the Federal Trade Commission (FTC) has received reports of hackers covering QR codes on parking meters with stickers that redirect users to fake websites designed to steal personal information. In this scenario, unsuspecting individuals scanning the QR codes are directed to phishing sites that mimic legitimate ones, tricking them into divulging sensitive information.

Of course, email is still the favorite attack vector of hackers and is the perfect medium for attacks using QR codes to gain access to user credentials.  Consider these two images, which used a QR code to redirect users to fake sites.

How to protect yourself and your organization

The sure way to protect yourself is to avoid using QR codes.  In the examples above you can manually visit the website instead of scanning the code.

1. Common sense, if you receive an email such as the password resets above, that you did not expect, consider them fake until you prove otherwise.

2. Verify the Source before scanning a QR code, ensure it is from a trusted source. Avoid scanning codes that appear tampered with or placed in suspicious locations.

3. Use a reputable QR code scanner app that provides security features, such as URL preview or blocking malicious URLs.  If the URL doesn’t go where you expect it don’t open it.

4. When dealing with QR codes in emails make sure the sender is correct.  Most phishing emails will be from a fake domain.

5. Be cautious of shortened URLs.  If a QR code leads to a shortened URL, consider using a URL expander tool to reveal the full link before visiting the site.

6.  Ensure your device's operating system and apps are updated regularly to protect against known vulnerabilities.

7. Whenever possible, enable 2FA on your online accounts to add an extra layer of security.

Conclusion

The rise of quishing attacks highlights the importance of staying vigilant and taking proactive measures to protect yourself online. By following these tips and partnering with a trusted MSP like Congruity IT, you can help safeguard your business against the growing threat of cyber attacks.  

At Congruity IT, we understand the importance of protecting your business from cyber threats. As a hassle-free managed service provider (MSP), we offer comprehensive cybersecurity solutions designed to safeguard your organization's data and infrastructure. Our team of experts is dedicated to providing proactive support and innovative solutions to keep your business safe and secure.  Visit us at https://congruityit.com.