What is Quishing? The Meaning of Quishing and How To Prevent It.
Quick Response (QR) codes have become a common occurrence in our daily lives. However, this increasing prevalence comes a new kind of threat: quishing.
Quishing, a blend of QR code and phishing, is a fraudulent activity where attackers create malicious QR codes to steal sensitive information.
In a quishing attack, a user scans a QR code, believing it’s from a trusted source, and gets redirected to a malicious website or prompted to download malware. Typically, the hacker’s goal is to trick the user into unintentionally sharing personal information such as credit card details or login credentials.
Quishing is a serious concern because it’s not possible for users to differentiate between a genuine and a malicious QR code (unlike traditional phishing attacks where there are often warning signs of an inauthentic message). More significantly, existing anti-phishing mechanisms rely on analysing text and links within emails. In quishing emails QR codes are typically delivered as images, allowing them to bypass security systems.
What are QR codes and how do they work?
QR codes are two-dimensional barcodes that store information in a machine-readable optical label. A QR code consists of black squares arranged on a white background. These codes can hold various types of data, such as URLs, text, or other digital content. When scanned with a QR code reader or smartphone camera, the encoded information is quickly retrieved and displayed or processed by the device.
How Does Quishing Work?
There are four main ways that quishing works as a scam:
- Spoofing
- Creating a sense of urgency
- Fake websites
- Redirecting to Fake Interactive Voice Response (IVR) Systems
Spoofing
Spoofing, in the context of quishing, involves creating a malicious QR code that mimics a legitimate one from a trusted authority or brand. For example, the QR code might appear within a poster that uses a recognised brand’s logo and imagery, or it might be embedded in an email that apparently comes from a trusted vendor’s website domain.
In a QR attack based on spoofing, attackers take advantage of two trust elements: a user’s familiarity with a brand or organisation, and their assumption that a QR code will always lead to a safe destination.
Creating a sense of Urgency or Opportunity
Like in traditional phishing attacks, quishing attacks might use urgency or a missed opportunity, to cause a victim to scan a QR code without carefully examining it or considering the consequences.
Common urgency tactics used in quishing attacks:
- Covering up the QR code on a pay-and-display parking machine with a malicious QR code. This exploits the urgency of paying for one’s parking and getting on the way.
- Sending a message saying a package could not be delivered, with a QR code to contact the sender or reschedule.
- Pretending there is suspicious activity on the victim’s account, and they need to confirm information to prevent the account from being frozen.
Fake Websites and Transactional Processes
Scammers are becoming increasingly sophisticated in their approaches, and this includes using meticulously crafted fake websites and processes in their quishing attacks. This method involves creating a scenario designed to trick the user into providing their sensitive information.
For instance, a user might scan a QR code that appears to be from the bank. It leads to a site that looks identical to the bank’s official website. The user is then prompted to enter their login details, supposedly to verify your account or update your security settings. The credentials are then sent to the scammer.
Redirecting to Fake Interactive Voice Response (IVR) Systems
A more advanced quishing technique involves redirecting victims to fake Interactive Voice Response (IVR) systems. This can be particularly effective because it mimics the behaviours of legitimate businesses. The use of a call instead of a website can create a false sense of security, making it more likely for the user to disclose sensitive information.
In a typical scenario, a user scans a QR code that purports to be from a well-known company. Instead of being taken to a website, they are connected to a phone number. The number will provide an automated voice system that requires the user to enter sensitive data such as a credit card number, a social security number, or bank account details. Attackers record the information entered by the user.
What are the Impacts and Consequences of Quishing?
Quishing poses a significant risk to consumers, and can lead to financial loss and identity theft. For example, a consumer may scan a QR code in a public place, like a café or a bus stop, thinking it leads to a promotional offer. Instead, they’re directed to a fraudulent website where they’re tricked into entering their credit card details. This information can be used by attackers for unauthorised purchases or sold on the dark web.
Quishing can also lead to the compromise of personal accounts. For example, attackers might send a QR code by email, supposedly from a social media platform. The user is directed to a malicious site and asked to enter their credentials. The attacker compromises the credentials and uses them for identity theft.
Quishing attacks can also lead to significant data breaches within organisations. Consider a scenario where an employee scans a QR code, believing it to be an internal survey from their employer. This QR code, however, is a quishing attack designed to capture login credentials. Once the attacker gains access to the employee’s account, they can move laterally within the organisation’s network, accessing sensitive corporate data.
Scenarios like this can result in major data breaches involving customer information, trade secrets, and other confidential data. Such breaches not only lead to financial losses but also damage the organisation’s reputation, compliance violations, and legal exposure.
Beyond data breaches, quishing can be a gateway to more severe business compromises such as financial fraud and network infiltration. Consider a scenario where an attacker uses quishing to trick employees into making fraudulent financial transactions. For example, a QR code disguised as a vendor payment request could lead to a fake banking portal, resulting in funds being transferred to the attacker’s account.
Another high impact scenario is that an attacker could use a spoofed QR code to deliver ransomware into an organisation. By sending a carefully crafted email to an individual with administrative permissions, the ransomware can spread across a network and lead to critical business data held hostage for a ransom.
Signs of a Quishing Attack
It can be very difficult to detect sophisticated quishing attacks. But there are several indicators that can help users identify and prevent quishing attacks and can help prevent at least some attacks.
Unexpected or Unsolicited QR Codes
Be cautious of QR codes that appear unexpectedly or are received without prior notice. These might be found in unusual places, such as on pay-and-display machines, public notice boards, or flyers handed out in busy areas. Attackers exploit the urgency of certain situations, like paying for parking or accessing urgent information.
Lack of Context, Unusual Placement or Presentation
Legitimate QR codes are typically accompanied by clear instructions or context about their purpose. For example, a QR code at a restaurant may be labelled to access the menu, or a QR code in a brochure might link to more detailed information about a product. Be wary of QR codes that lack this information or are presented without any explanatory text.
Additionally, check for spelling mistakes, inconsistent fonts, or low-quality printing that might indicate a quishing attempt. Similarly, QR codes that appear to be hastily added to printed materials, like a sticker covering something underneath, could indicate a potential quishing attempt.
Suspicious Sender
QR codes sent via email, text message, or social media from unknown or suspicious senders should be treated with caution. Verify the identity of the sender and the legitimacy of the message before scanning the QR code. Even if the message appears to come from a trusted source, such as a bank or a known contact, look for subtle discrepancies such as an unusual sense of urgency, unexpected requests, or language that doesn’t match the sender’s usual tone.
Use of URL Shorteners or Obscured Links
Be wary of QR codes that, when scanned, redirect you to URLs that are shortened or obscured. If your QR code scanner app allows, always preview the full URL before proceeding. If the URL looks suspicious or doesn’t match the expected domain, do not proceed further.
How to Protect Against Quishing
If you are an individual, here are a few ways to avoid falling prey to quishing attacks. If you work for an organisation, educate employees and users on these best practices to prevent quishing and safeguard your network.
Verify the Source of a QR Code
A first line of defence against quishing attacks is to verify the source of the QR code. If you encounter a QR code in a public place, ask yourself if it’s from a trustworthy source. If you’re not sure, it’s best to avoid scanning it. Also, always verify the source of emailed or messaged QR codes. Cybercriminals often impersonate reputable companies in their phishing attempts. If you get an unexpected QR code from a company, contact them through their official channels to confirm its legitimacy.
Use a Reliable QR Code Reader
When choosing a QR code reader, look for ones that are created by reputable software vendors and have positive reviews. Some QR code readers could be malicious software distributed by attackers, or software that is not regularly updated and more susceptible to security vulnerabilities. Also, some QR code readers have built-in security features. These features may include a warning system that alerts you when a QR code is linked to a suspicious website. Using a QR code reader with these security features can add an extra layer of protection against quishing attacks.
Preview the Destination URL
Before you scan a QR code, it’s important to preview the destination URL. This can help you identify potentially malicious websites. If the URL looks suspicious, don’t proceed with the scan. Make sure the URL is under a known domain name and is secure (starts with https://).
Here is an example of how to do this in a popular QR scanning app, QR & Barcode Scanner. After scanning the QR code, the application shows the destination URL, which in this case is under a reputable domain, nutella.com. Note however that the URL is not secure (starts with http:// without the ‘s’).
Furthermore, be wary of shortened URLs. Cybercriminals often use URL shorteners to hide the true destination of their phishing sites. If you encounter a shortened URL, use a URL expander to reveal the full URL before scanning the QR code. For example, Urlex is a free website that allows you to expand a short URL to view the destination URL.
How can Fuse CS help protect your organisation from Quishing
As a managed service provider, Fuse CS can help your organisation protect their assets and infrastructure by:
- Advanced Image Scanning and Threat Analysis capabilities of Microsoft Defender for Office 365
- Proactively hunting for malicious QR codes that have passed the image scanning with Microsoft Defender XDR and KQL queries
- Cyberattack Simulation Training – Simulate Quishing attacks and create dedicated trainings tailored to your company’s requirements and landscape
Book a 30-minute no obligation chat with us to share your concerns about quishing and cybersecurity in general.
About the author
Fuse is a Microsoft Partner, based in Northampton. We help organisations of all sizes to maximise IT efficiencies through the use of Microsoft cloud computing solutions.
