Threat actors use many forms of phishing to carry out their targeted cyber-attacks. Spear phishing remains a highly popular form, including sending personalized emails with fake links to access sensitive data and/or deploying malicious software to demand a ransom. With technological advances and shifts in common technological use, threat actors seize new opportunities to ensure successful hack attempts.
QR code phishing, or “quishing”, is not just a new method of attack, it's a rapidly growing and alarming threat that has surged in recent months. This surge coincides with the increasing popularity of scanning QR codes in our daily lives over the past few years. From scanning a QR code for menus at a restaurant to recording loyalty points at retail outlets or even logging in to streaming applications, it has become the new norm. In fact, Scoop recently reported that in 2022, 83.4 million U.S. smartphone users scanned a QR code, which is expected to rise to 99.5 million people in 2025. Threat actors exploit this new phenomenon, particularly in instances where people would least suspect it.
When Trust is a Threat
The primary vulnerability that threat actors exploit in quishing attacks is our trust. This trust is a double-edged sword, as it is the very thing that makes QR codes so convenient and widely used, but it's also what threat actors manipulate to carry out their attacks. They take advantage of how unsuspecting the average smartphone user is when scanning a QR code, as most automatically assume that all QR codes are legitimate and lead to their designated point. For instance, the Federal Trade Commission has reported instances of threat actors nefariously covering up legitimate QR codes on parking meters with an illicit but innocent-seeming QR code of their own. In some cases, threat actors might even send a text message or email to try to legitimize it and give users a reason to scan it. However, there are ways to identify that these QR codes are counterfeit. Here are a few tactics that threat actors use to carry out their quishing attacks:
- Trying to move a conversation from a corporate-owned device to a personal device or social platform like WhatsApp where the threat actor believes it will be easier for them to be successful
- Sending suspicious text messages or emails about package delivery and asking the user to scan a QR code to verify
Also, many attacks rely heavily on creating a sense of urgency around a supposed benefit or consequence for not taking attacks. In September 2023, it was reported that there was a 51% increase in quishing attacks compared to January through August 2023. Malicious QR codes represented 9.5% of all QR codes scanned in September 2023 and as the use of QR codes continues to rise, we can expect these numbers to rise in the future.
According to ZD Net, since QR codes are nearly everywhere and provide users with easy access to information they need, people are prone to scanning them without a second thought. Using this vulnerability, threat actors have used this method to imitate helpful QR codes, only to lead the person who scanned the code to a counterfeit site, steal their sensitive information, or even install malware on their devices.
What Does This Mean for Companies?
Cybersecurity awareness training is one of the best defenses to prevent employees from falling victim to quishing attacks. This can include ensuring employees know about particular cyber threats and what to do about them. Implementing ongoing training ensures that employees can identify potential attacks and make informed decisions based on their training. Leveraging tools, such as simulation training, gives employees better understand of what to expect when presented with a potential phishing attack attempt.
Threat actors are showing no signs of slowing down, so employees must be reminded to always think twice before scanning any random QR code when using company-issued equipment, services, and software. This is especially true when a threat actor tries to manipulate the end user into accessing corporate data on a personal device lacking corporate protection.
QR codes serve a valid purpose. However, they must lead to an authorized landing page. That is why it is important for companies to inspect the URL before they open it, and even if it does look like a recognizable URL, ensure that it is legitimate.
The best way to tackle this is to implement a robust cybersecurity solution that can do this sustainably, automatically, and on an ongoing basis.
It is important for companies to be able to automatically detect QR codes placed within emails that reroute to other malicious websites. This will help determine which QR codes are safe or not.
The threat of a potential QR code attack may seem miniscule. That kind of low-priority attitude is a huge vulnerability that threat actors are actively looking to exploit. The more equipped companies are with their training and proper tools, the better they will be at preventing this type of cyber-attack. As technology continues to advance and innovate, it remains crucial for companies and employees to stay ahead of the curve in ensuring cybersecurity protection.