Quick response codes - aka QR codes - have exploded in popularity because they are a convenient alternative to using a complicated web address. It is an easy way to access the information you need by opening your camera app; however, these codes must be treated with caution. Recently, the Federal Trade Commission (FTC) released a consumer alert warning people to be on the lookout for harmful links hidden in QR codes.
Quishing, or QR phishing, is a cybersecurity threat in which attackers use QR codes to direct victims to malicious websites or prompt them to download harmful content. This attack aims to steal sensitive information, such as passwords, financial data, or personally identifiable information (PII), and use that information for other purposes, such as identity theft, financial fraud, or ransomware.
This type of phishing often bypasses conventional defenses like secure email gateways. Notably, many secure email gateways perceive QR codes in emails as meaningless images, making users vulnerable to specific phishing attacks.
What are QR codes?
QR codes are two-dimensional barcodes that are easily scanned with a camera or a code reader application. The main component of a QR code is data storage. QR codes can store significant amounts of information, including URLs, product details, or contact information. Scanning technology allows smartphone cameras or code readers to easily and quickly access the website to which the URL points. QR codes are seen on flyers and advertisements to provide additional information, at restaurants and parking meters to offer a simple self-checkout process, at public places to enable access to free wi-fi.
How does quishing work?
Due to the ease and availability of QR codes, bad actors create fake QR codes which direct users to bogus websites where malware is installed on their devices, or their information can be stolen.
Typically, the attacker will embed the QR code in phishing emails, social media, printed flyers, or physical objects and use social engineering techniques to entice the victims. For example, victims might receive an email urging them to access an encrypted voice message via a QR code for a chance to win a cash prize. Once a victim is directed to a malicious site, they are prompted to enter secure information such as login credentials, financial details, or other personal information. Once this sensitive information is captured, attackers can exploit it for various malicious purposes, including identity theft, financial fraud, or ransomware.
How can you identify quishing attacks?
- Think before you scan - It's best not to scan a QR code if it's from an unknown source. If you receive an unexpected email or text with a QR code, confirm the source, especially if it urges you to act immediately. Double-check physical QR codes for any signs of tampering (e.g., the QR code is a sticker, the QR code looks to be out of place, and instructions for the QR code don’t match the style and format of the larger display).
- Trust, but verify - If a message seems legitimate, verify the sender's identity using a confirmed phone number or website. Be cautious with URLs and avoid sharing personal info or making payments through QR code-linked sites to reduce the risk of phishing attacks. Before accessing any website from a QR code, verify the legitimacy of the site.
- Email domain does not match - If you receive an email with a QR code claiming to be from Company X, but the sender's email is from Gmail or an unfamiliar domain, it's likely a phishing attack.
- Keep your OS current - The FTC recommends you protect your phone and accounts by updating them to the latest OS and placing strong passwords and multifactor authentication on them.
Legitimate companies will always send instructions for any necessary actions and will not send a QR code for account verification. Similar to SMS messages from unknown sources, these QR codes could conceal malicious intent and should be scanned with caution.