Andy Swift, Cyber Security Assurance Technical Director at Six Degrees, explains why cybercriminals have started using QR Codes to target victims and outlines how you can protect your business.
What are quishing attacks and how do they work?
QR codes are everywhere these days: Adverts, posters, packaging, menus, tickets, banking apps. There’s no escaping them, even at art galleries and museums. You might be forgiven for thinking they’re a new phenomenon, but QR codes have been used in supply chain and manufacturing settings since the early ‘90s. It’s only with the advent of smartphone QR code reader apps and, most recently, direct QR code reader integration with phone cameras that they’ve caught the public’s imagination.
Inevitably, cybercriminals spied an opportunity, too – and quishing (or QR phishing) is now on the rise. Quishing works like a standard phishing attack, but the malicious link is hidden in a QR code rather than an email link. It’s a far more versatile attack method and can be delivered via texts, WhatsApp messages, social media posts, websites, printed copy or even public signage.
These links – often offering a fantastic prize, premium content, or cash sum – might take victims to a fake app, a legitimate app with fake links, or a legitimate app with real links and a fake AI ‘person’ on the other side. As with phishing, once cybercriminals have tricked their victims into handing over sensitive information, they can commit identity theft, install ransomware, or carry out financial fraud. QR code links used in quishing attacks can also initiate actions on a smartphone, including email composition and contact updates – further compromising the victim and the organisation they work for.
Why are quishing attacks so effective?
- Digital QR codes can bypass some email gateways and firewalls because they’re interpreted as harmless images.
- QR codes with fraudulent links can be printed on physical content and delivered in the post. This means they bypass all digital cybersecurity defences and are only subject to basic checks from the people in charge of sorting mail.
- There’s a low barrier to entry. Cybercriminals don’t need to write complex code to deliver a malicious link. In some instances, they can stick a fake QR code over an existing piece of physical content.
- Humans need an app to decipher QR codes. This makes fraudulent links much harder (although not impossible) to spot.
How can organisations fight back?
There’s a lack of education and basic information about quishing, so people don’t know how to identify an attack and protect themselves. So, the best thing we can do is raise awareness of the threat and keep employees informed. Here are a few tips to help do just that:
Update your cybersecurity training
Threats such as quishing prove cybercriminals have moved on. Cybersecurity training needs to do the same. For the best results, keep it engaging, to the point, easy to digest, and not too technical.
Give some extra time to younger employees
This isn’t because they’re naïve – they’re probably more tech-smart than us in many ways. But they suffer far more from notification and alert fatigue than their older colleagues. That’s thanks in great measure to those endless (and seemingly meaningless) cookie acceptance buttons, which have trained an entire generation to mindlessly tick, click and wave through pop-ups and other notifications without giving them due attention.
Check-in with reception staff and anyone else responsible for opening or distributing mail
Are they routinely included in your cybersecurity training? Have they heard about quishing, and do they routinely weed out any leaflets, flyers, and envelopes with QR codes on them? If they are responsible for opening the mail, do they flag and/or check any mail containing QR codes? If you use a digital mailroom or outsource mail centre operations, are you confident they are trained to spot potential quishing attacks?
Check your tech stack
Email filtering, URL filtering and endpoint protection all protect staff from quishing attacks at various stages – so it’s vital to keep each of them up to date. Email filtering can block phishing emails with suspect QR codes before they reach their intended recipient. URL filtering can prevent potential victims from opening known malicious links hidden behind QR codes if the mail does get through.
If the user still manages to open a malicious link, endpoint protection can prevent QR codes from launching malware attacks or other harmful actions. Finally, if you suspect you’ve fallen victim to an attack, virus scanners and checkers can help identify and remove active and dormant malware.
Remember that your phone is your friend
These days, every QR reader app on every phone allows you to look at the link before you click it. So remind everyone in your organisation to do just that each time they come face to face with a QR code in any situation – not just in the office. It’s the same principle of double-checking a link in a potential phishing email and not clicking it if it looks wrong. A malicious URL will still look like a malicious URL when you review it in your QR code reader. So always check!
Caution, judgement and personal responsibility
As I said at the start, QR codes are everywhere. Their ubiquity is one of the cybercriminal’s biggest weapons. Furthermore, people don’t expect QR codes to expose them to malicious URLs. You’d trust a QR code on a car park sign, at a music festival, in an art gallery, or in a message from your friend, wouldn’t you?
Unfortunately, this attitude has to change. We need to treat QR codes with the same degree of suspicion and cynicism as email links – and apply the same criteria for trust. So, next time you’re presented with a QR code, ask yourself if you trust the person or organisation supplying it. And if you’re in any doubt, don’t click on it.
Conclusions
Phishing attacks yield high rewards. So, even though cybersecurity defences have got much better at weeding out phishing emails before they reach their intended victims, cybercriminals aren’t going to give up easily. Quishing attacks form part of a wider strategy to find more creative and inventive techniques to bypass these defences and reach their victims. Other examples include attacks delivered via messaging and video conferencing apps – and attacker-in-the-middle/impersonation token attacks, which seek to outmanoeuvre multi-factor authentication techniques.
Despite these changes, the end goal remains roughly the same: extract credentials or plant malware. The key lesson from the rise in quishing attacks is that we must never become complacent about cybersecurity and threat mitigation. New attacks will arrive, and we need to be ready for them. As such, we should expect – and require – our processes, procedures, systems, and training to evolve so our employees and organisations remain safe.
