What is quishing? The rise of QR code phishing attacks

What is phishing?

If you’ve not come across the term before, phishing is a type of social engineering cybercrime where hackers try to trick you into giving away sensitive data online. They pretend to be someone you know or trust like a bank or a recognized company, and reach out via email (email spoofing) or text (smishing). These messages often try to scare you or get you excited with promises of money or prizes.

Clicking on the link or opening the attachment in the message probably takes you to fake website or leads you to accidentally download malware. The goal? To steal your passwords, credit card numbers, or other important information.

An example of an email spoofing attack where cybercriminals sent unsuspecting recipients to this phishing website imitating PayPal’s real login page. That URL looks a little “phishy” though, right?

What is quishing?

Quishing another type of phishing attack with a fancy new twist. Instead of clicking on a link in an email, you're tricked into scanning QR codes. This code, when scanned, takes you to a fake website designed to steal your personal contact information.

As QR codes have up until now been relatively harmless (they’re used for opening your local pub menu, right?) many people have fallen susceptible to quishing attacks. So, next time you see a QR code pop out of an email, think twice before scanning it with your phone.

How does quishing work?

Here’s a quick run-through of how cybercriminals are setting up QR code cyberattacks:

1. Creation of a malicious QR code: The attacker creates a QR code that, when scanned, typically leads to a malicious website designed to steal credentials, download malware, or collect personal information.

2. Distribution of the QR code: It will then be distributed by various means, such as emails, text messages, social media, physical posters, or flyers.

3. Enticing victims: The attacker then lures unsuspecting victims in scanning the QR code with promises of discounts, free items, urgent notifications, or verification requests.

4. Commence attack: Once the QR code is scanned, the victim is taken to a phishing website that may look legitimate and requests sensitive information such as login credentials, credit card numbers, or personal identification details. Alternatively, the QR code might trigger the download of malware onto the victim's device.

5. Data theft or device compromise: If the victim enters their information on the phishing site, the attacker collects this data and can use it for identity theft, financial fraud, or further attacks. If malware is downloaded, the attacker gains access to the victim’s device, potentially leading to data breaches or further exploitation.

6. Exploitation: The stolen information is then used for various malicious purposes, such as unauthorized transactions, identity theft, or sold on the dark web.

How to prevent QR code phishing

The good news is there are ways to combat these new, advanced phishing attacks and hopefully restore the reputation of our poor ol’ QR code. The most obvious of course is to not scan QR codes received by email (especially from sources you don’t recognize). Honestly, when was the last time you received a legitimate QR code by email?

Additionally, you’ll want to protect your data (and brand reputation). Here are a few best practices for you to follow:

Email authentication

Without a doubt the best way to protect your brand from quishing attacks is by implementing email authentication protocols. These protocols work together to verify the authenticity of email senders, ensuring that messages originate from legitimate sources. This prevents cybercriminals from spoofing your brand’s email address to distribute malicious content, such as phishing links or QR codes that lead to malicious websites.

The three primary email authentication protocols are:

• SPF (Sender Policy Framework)

• DKIM (DomainKeys Identified Mail)

• DMARC (Domain-based Message Authentication, Reporting, and Conformance)

2FA (Two-Factor Authentication)

2FA is another robust security measure that significantly enhances your brand's protection against QR code phishing attacks. Essentially, it works by demanding an additional layer of verification beyond a simple password (two-factor) making it exponentially more difficult for threat actors to gain unauthorized access to sensitive information.

So, even if a cybercriminal manages to acquire a colleague’s password they’ll be unable to access said account without multi-factor authentication (typically a code sent to a trusted device). This effectively prevents unauthorized logins and safeguards your customer data.

Awareness training

There are a few telltale signs that an email is sent from a threat actor that you can educate your team to lookout for. For example, when inspecting a suspicious link generated from a QR code always check the URL. Does it contain a misspelling? Are there grammatical errors or strange spacing? Does it look like a legitimate URL from a recognized brand?

Also, if the email urges you to act immediately or is littered with email spam words, it could also be a sign of a malicious attempt to steal data. So again, make sure to train your team to be vigilant before interacting with any suspicious emails.

Install antivirus software

As the name suggests, antivirus programs can identify and block malicious links, attachments, and downloads that are often used to distribute phishing scams. So, in the unfortunate event that a colleague falls victim to an attack, antivirus programs act as that second line of defense, preventing unauthorized access to sensitive information.

Also, antivirus software helps to contain the spread of malware or ransomware if a team member’s device becomes infected after a quishing attack. Again, this minimizes the risk of data breaches.

QR code phishing attacks

We always try to tell us ourselves “it won’t happen to me,” right? While we’re not knocking your optimism, it’s preferable to hope for the best, and plan for the worst. Just ask the Chinese Ministry of Finance…

In November 2022, the Chinese Government was victim of a large-scale email spoofing attack. Attackers imitating the government sent out a mass email containing a Microsoft Word document attachment:

The body text translates in English to “Please click on the attachment to view the notification of the Ministry of Finance’s application for personal labor subsidies in the fourth quarter of 2022!”

The document claims recipients are entitled to a government grant. The attackers suggest that people must act quickly to remain eligible for the money, quoting various institutions and security figures to further legitimize the scam. Notice how it ticks all the boxes for a classic phishing email: sense of urgency, financial reward, and authority.

To receive the money recipients are asked to open the Word Document and scan an embedded QR code:

Notice how the QR code closely resembles the official emblem of the People’s Republic of China to legitimize the scam

The QR code redirects victims to a site containing reaffirming the claims from the Word document. After clicking a CTA, victims can start their request for the grant. Of course, to receive the money there’s a caveat – you must input your bank account details.

By getting users to switch over to a mobile device, the attackers potentially bypass many of the security measures set on a conventional company-supplied laptop.

Attackers now have all the information they need to make fraudulent transactions on behalf of the victim.

Increase your email security with Sinch Mailjet

At Sinch, email authentication is at the core of our product offering for all our email solutions. We’re constantly striving to give senders the tools and advice needed to establish trust with their audience, protect their brand reputation and bolster their email security.