Quishing: Phishing with QR codes
Opening menus, paying parking fees, gaining entry to events, calling up information or logging into a WLAN, all this is possible with the help of QR codes. QR codes are practical, but can also be misused for criminal purposes: So-called “quishing” is now a widespread method used by fraudsters to obtain sensitive information such as usernames, passwords and credit card details. We explain how quishing works and how you can protect yourself in our blog post.
What are QR codes?
QR codes (quick response) are two-dimensional codes. They were invented in 1994 by Masahiro Hara for the Japanese automotive supplier Denso Wave. Masahiro Hara found the inspiration for QR codes in the board game Go.
QR codes offer several advantages over conventional, one-dimensional barcodes: Up to 7,089 digits or 4,296 letters as well as punctuation and special characters can be stored. In addition to numbers, words and sentences and therefore URLs can also be stored. They can also be read with some damage.
The numerous advantages of QR codes have led to them being used in a wide range of industries. They are now particularly popular in payment processing, but also in marketing and advertising. Today, QR codes are used in public places such as billboards, in restaurants, on flyers and stickers, but also on smartphones, e.g. in text messages, social media and emails.
What is quishing?
Quishing (the term is a combination of the words “QR” and “phishing”) uses QR codes as an attack vector for cyber attacks. Phishing, on the other hand, is a made-up word (“fishing”) and refers to attempts to impersonate a trustworthy electronic communication partner using fake websites, emails or text messages. The purpose of the scam is, for example, to obtain an Internet user’s personal data, to trick them into logging into a fake or imitation website and then to steal login credentials such as passwords and user names.
The methods used for phishing adapt to the respective technical conditions and developments: Whether using ChatGPT, AI-supported spear phishing attacks, URL shorteners, archives, vishing (voice phishing via phone calls), smishing (phishing via SMS messages) or, as described here, QR code-supported quishing, the goals are always the same, namely to steal confidential information from victims.
How does quishing (QR code phishing) work?
First, the attackers create a QR code that contains a URL that leads to a malicious website or triggers a malicious action. This URL can be a phishing website that aims to steal personal information such as usernames, passwords or credit card details. Alternatively, the URL can lead to a website that downloads malware and installs it on the user’s device.
The attackers place the malicious QR codes in public places, on printed materials or as part of emails, in social media or on websites. They then claim, for example, that a parcel could not be delivered and ask for a new delivery date. Or they point out alleged problems with a user account and ask you to confirm your details. Or they inform you of allegedly suspicious activity on your user account and urge you to change your password. The alleged reasons are varied.
In any case, the messages create a sense of urgency to entice victims to enter their codes without thinking. After scanning the QR code, the user is redirected to the malicious website or a malware download is started directly, compromising the device.
Media disruption leads to security gap
In addition, QR codes are usually scanned using a smartphone. This media disruption is problematic because the attack can take place on the personal device, regardless of how well the company’s IT is secured. Attacks cannot be monitored or prevented in this way. If employees then enter passwords, the data entered is transmitted to the attacker, who can use it for further attacks or identity theft.
Quishing and its consequences
The number of quishing campaigns is constantly increasing. In some known cases, the aim was to steal credit card details, while in two other cases, fake websites were used to get victims to supposedly pay for parking tickets, but the money ended up with the fraudsters instead. Access data for Microsoft 365 cloud applications is also said to have been captured in this way.
The consequences of successful quishing attacks can be serious and affect both personal and professional areas. Data theft, financial losses, malware infections, loss of privacy or even damage to companies are likely.
How can I protect myself against quishing?
Basically, the same applies to phishing and spam: vigilance and a healthy dose of skepticism towards QR codes of unknown origin is the first step to avoid becoming a victim. It also makes sense to check the target URL, for example to see whether an HTTPS connection is being used.
To protect your user accounts, you should also always use two-factor authentication. Regularly installing updates for your operating system, apps and security software is also a good way to ensure protection against the latest threats.
You should be particularly careful with emails containing QR codes, especially if these emails come from unknown senders. Check the authenticity of emails that at first glance appear to come from well-known companies or organizations before scanning QR codes or clicking on links.
Protection against quishing: NoSpamProxy recognizes and analyses QR codes
QR code scanning in NoSpamProxy effectively protects you and your company against quishing. The core anti-spam engine in NoSpamProxy recognizes QR codes in emails and attachments and simultaneously evaluates the URLs stored in the QR codes.
If the respective URL is recognized as malicious, NoSpamProxy assigns SCL points (Spam Confidence Level) accordingly and blocks the email. This means that dangerous QR codes do not end up in your employees’ inboxes in the first place and your company is protected.
Not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company from cyber attacks. Request your free trial version now!
