Quishing: A growing threat hiding in plain sight


Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.

However, legitimate organizations aren’t the only ones generating QR codes for added convenience. Cyber criminals are also leveraging QR codes and the increased reliance on near-field technology (NFC) to launch sophisticated attacks on unsuspecting victims.

What is quishing, and how does it work?

The Federal Trade Commission (FTC) has reported a rising trend in new phishing schemes where scammers use seemingly legitimate QR codes to send users to malicious websites and applications to carry out various cyberattacks. Termed “quishing,” these techniques can be highly effective, especially when the generated codes are posted in credible places like retail products, business buildings and branded marketing locations like magazines or mailers.

How are quishing attacks carried out?

The reason why quishing attacks have become so effective has to do with the impulsivity associated with scanning QR codes due to user convenience, the ease at which codes can be generated and the anonymity they provide.

Anyone can create a QR code online using a range of free available tools. Since all QR codes look similar in design, there is no telling what a QR code will prompt a device to do until it is scanned.

Cyber criminals will typically generate codes to redirect to malicious websites where they’ll attempt to install malware scripts, or they may try to request additional permissions on the device that can be saved for later use. These codes can then be printed out and pasted directly over legitimate QR codes to make them look like they’re coming from a reputable source.

Many people don’t think twice about scanning these QR codes and will often accept security bypass prompts that show on their devices so they can more easily access the application or services.

Explore offensive security solutions

Who is most commonly targeted by quishing?

When QR codes first started appearing, not many people knew what they were or even how to use them. However, with most modern mobile devices capable of using NFC technology and the ability to transmit and receive data, they started becoming a popular medium for easy advertising and added convenience for users.

Today, QR codes are commonly used by a variety of individuals, and cyber criminals have used quishing to target susceptible individuals. Many of these include:

  • Elderly individuals who are less familiar with phishing tactics and more trusting of the websites they’re taken to
  • Online shoppers that use QR codes to “track their packages”
  • Job seekers using their mobile devices to provide personally identifiable information (PII) as part of the “application” process
  • Business executives whose devices are typically registered with higher levels of access to mobile banking applications and services
  • Individuals using paid parking mobile applications frequently scan QR codes at various parking meters around the city

Frequently visited public establishments like restaurants and coffee shops are prime targets for quishing victims. Many of these risks became more apparent during COVID-19 when QR codes were heavily relied on as a way to avoid unnecessary contact when using physical menus or making payments.

As the trend in QR code use has continued, the dangers of quishing have only increased over the years. Individuals and businesses should take proper precautions to avoid being victimized.

How to stay protected from QR code scams

The FTC has provided various strategies organizations can follow to help protect themselves from quishing schemes. These include:

  • Think before you scan: It’s important to recognize that while convenient and easy to use, QR codes can present hidden dangers. Before scanning a new code, make sure that you’re only scanning codes from reputable sources. This is especially the case if the QR code requires access to certain permissions on your mobile device to function properly.

  • Look for physical signs of tampering: When using QR codes in public places, you should look for physical signs of tampering. While not all QR stickers need to be considered malicious, you should inspect them carefully to see if they’re pixelated or out of alignment. If it looks suspicious, simply don’t scan it.

  • Inspect URLs before using them: Most mobile devices will have security protocols in place that let you inspect an attempted URL redirect before you agree to navigate the site. Take the time to ensure the QR code you scanned is taking you to the correct site or mobile application it should.

  • Be cautious of unsolicited QR requests: Receiving unsolicited emails from seemingly legitimate websites with a request to scan QR codes should be treated cautiously. Being told to scan a QR code with little context about what it’s being used for should be a red flag. If you’re unsure of legitimacy, contact the business or go directly to their website without using any redirect links.

  • Keep NFC turned off when not in use: As a good rule of thumb, it’s recommended that you keep your NFC turned off when not in use. This helps to protect against sharing any data between devices without your consent and will help to avoid being overly impulsive when scanning public QR codes without careful consideration.

Don’t let added convenience lower your guard

QR codes are a convenient way of installing applications and getting more information about different brands and services. However, it’s important not to let the convenience of scanning a QR code cloud your good judgment when protecting your privacy.

By staying alert and following the guidelines discussed, you and your business will be better protected from becoming victimized by quishing schemes.

The post Quishing: A growing threat hiding in plain sight appeared first on Security Intelligence.