What is Quishing?

Quishing, or QR code phishing, is a type of cyberattack that leverages QR codes to deceive users into revealing sensitive information or performing actions that compromise their security.

The Growing Concern

QR codes, short for “Quick Response” codes, are grid barcodes that can be scanned using smartphones and other devices to quickly access websites, contact information, and other data. While QR codes are incredibly convenient and widely used, they can also be exploited by malicious actors for phishing purposes.

Quishing takes advantage of the growing reliance on QR codes, especially in contexts where touchless interactions are preferred, such as during the COVID-19 pandemic. The convenience and trust users place in QR codes make them an attractive target for cybercriminals. As QR code usage continues to expand, so does the potential for quishing attacks, making it crucial for users to stay informed and vigilant.

By understanding the risks associated with QR codes and implementing security measures, individuals and organisations can better protect themselves against quishing and other cyber threats.

How Quishing Works

• Creation of Malicious QR Code: Cybercriminals generate QR codes that embed malicious URLs or actions. These QR codes may lead to phishing websites, initiate malware downloads, or perform other harmful activities when scanned.
• Distribution of QR Code: These malicious QR codes are distributed in various ways to reach a wide audience. Common methods include:
  • Physical Media: Printed on flyers, posters, business cards, or placed in public locations like bulletin boards, restaurants, or event venues.
  • Digital Media: Embedded in emails, social media posts, messaging apps, or websites.
  • Spoofing Legitimate Codes: Replacing or overlaying genuine QR codes in public places with malicious ones, such as on menus, advertisements, or product packaging.
• Scanning by Victims: Unsuspecting users scan the QR code using their smartphones or other devices, expecting to access legitimate content or services.
• Execution of Attack: Upon scanning, the QR code directs the user’s device to a phishing website, initiates a download of malware, or performs another harmful action. The phishing website may mimic a legitimate site to trick users into entering personal information, such as login credentials, credit card numbers, or other sensitive data.
• Data Theft or Device Compromise: The attacker gains access to the victim’s sensitive information or compromises the device to further exploit it. This can lead to identity theft, financial loss, or further spreading of malware.

Examples of Quishing Attacks

• Fake Restaurant Menus: A QR code on a restaurant menu is replaced with a malicious one, leading customers to a phishing site that steals their payment information.
• Event Promotions: Flyers for events with QR codes are distributed, but the code directs users to a site that installs malware on their devices.
• Business Cards: Business cards with QR codes that lead to fake LinkedIn or company websites, capturing login credentials.

Prevention Tips

To protect yourself from quishing attacks, consider the following precautions:

• Be Cautious with QR Codes: Only scan QR codes from trusted and verified sources. Avoid scanning codes from unknown or suspicious origins.
• Verify the URL: After scanning a QR code, carefully check the URL before proceeding. Look for signs of legitimacy, such as HTTPS, recognisable domain names, and absence of suspicious characters or misspellings.
• Use Security Software: Ensure your smartphone or device has up-to-date security software that can detect and block malicious activities, including those initiated by QR codes.
• Educate Yourself and Others: Increase awareness about quishing and other types of phishing attacks. Educating yourself and others can help in recognising and avoiding such threats.
• Physical Verification: When possible, manually type the URL instead of scanning the QR code, especially if you are unsure about its source.
• Security Features: Use QR scanning apps that provide security checks, such as previewing the URL before opening it.
• Report Suspicious QR Codes: If you encounter a suspicious QR code, report it to the relevant authorities or the organisation supposedly responsible for it.

