The Risks of Quishing and How Enterprises Can Stay Secure

QR codes have surged in popularity in the past two years, mainly due to their convenient and touchless features that streamline daily transactions-making it easy for users to scan and access information quickly. Nearly 89 million smartphone users in the U.S. have scanned a QR code, with growth projected to reach over 100 million users by 2025. However, the increased availability of QR codes have made them perfect tools for cybercriminals to further disguise their malicious links and evade detection. 

Cybercriminals are exploiting QR codes through phishing attacks, exposing employees and organizations to the risk  of data loss, credential theft, and unauthorized access to corporate networks. Understanding the risks and defenses against QR code phishing is becoming imperative, especially for cybersecurity leaders shaping organizational defenses.

Quishing Attacks

QR code phishing, or “quishing,” occurs when cybercriminals embed malicious URLs into QR codes. It’s phishing, but instead of using links or emails, attackers use a QR code to redirect users to a fake website when scanned. Once a victim inadvertently visits a fake website or app that mimics an original one, cybercriminals can collect payment information or initiate an unwanted download to gather additional information. 

Here’s what quishing looks like: 

• Attackers create the malicious QR code. These codes are presented in a trustworthy context, from event information to discounts or payments. 
• Strategically placed codes are key. Attackers will place these codes on public surfaces such as posters, advertising, or packaging. They may send them via email, SMS, or social media posts. 
• Users scan the code. The user scans the code with the camera on their mobile phone, and the device is directed to a URL associated with the QR code, often a fake website intended to look legitimate or install malware.
• The attack is deployed. After visiting the phishing site, the user may be tricked into entering their login credentials, financial information, or other sensitive information. This code can also be used to download  malware to a mobile device to steal data, spy, or take complete control of the device. 

Understanding the mechanics of a quishing attack enables users to stay vigilant while scanning a QR code in public. Phishing websites are a standard tool attackers use to gain user trust and gather information for quishing attacks. 

Here’s what to look for when a QR code is redirected to a potential phishing website: 

• Typos and inconsistencies. Check the website you land on while using a QR code for grammatical mistakes, inconsistencies with the website, and low-resolution graphics. 
• Unrealistic deals or immediate prompts. Phishing websites often lure victims with offerings that are too good to be true or create a sense of urgency for a user to “act now”. 
• Requesting information. Legitimate sites often request information relevant to the task. Beware of sites that request excessive personal or financial information. 

Quishing Attacks in the Wild

The real-life impact of quishing can be profound. Successful attacks have resulted in compromised personal and corporate data, financial loss, and, in some cases, significant reputational damage to businesses. The FTC has recently reported on QR code fraud they were tracking on parking meters where “scammers [are] covering up QR codes on parking meters with a QR code of their own. And some crafty scammers might send you a QR code by text message or email and make up a reason for you to scan it.”   

In another example, while on a hike, an individual encountered a seemingly official QR code plastered on a cardboard sign instructing them to pay for parking. Rather than connecting to a parking payment portal, it directed them to an online entertainment platform subscription, where they were charged a monthly fee of $39.95 for music and video services.

Some crafty attackers may send QR codes via SMS/text message or email, making up a seemingly legitimate reason for users to scan it. Here are some additional ways attackers may try to con individuals into scanning QR codes: 

• They lie and say a package could not be delivered, and now the user will have to contact them to reschedule the delivery. 
• They pretend there is a problem with the user’s account and need them to verify additional information.
• They say they noticed suspicious activity on the user’s account, and urge the user to  change their password for security reasons.

These common but crafty ways are typically deployed to the masses, so attackers try to get as many individuals to fall for the same scam as possible. Social engineering is a way for attackers to make these cons feel real by using personal information that only a trusted source would know in order to gain trust from the user.

What Kind of Data is Taken During a Quishing Attack?

Quishing attacks often steal various data types, depending on the attacker’s goals. Most attacks are financially motivated, meaning these attackers are either looking for sensitive information to sell on the dark web or using payment information to commit fraud. 

Here’s why it matters: Attackers can use the victim’s personal information to empty their bank accounts, make unauthorized charges to their credit cards, establish new utility accounts, receive medical treatment under their health insurance, and file fraudulent tax returns. 

However, an attacker does not always need a user’s personal information to cause harm. In more targeted attacks, they may specifically aim for login credentials or access to mobile devices to gain entry into corporate data systems, potentially leading to ransomware attacks and other forms of cyber extortion. If your organization uses QR codes for authentication purposes, it is important to be aware of attackers’ strategies. 

How to Detect Quishing Attacks

Detecting quishing attacks can be challenging, but there are some warning signs individuals can look for such as: 

1. Strange Login Attempts: Be wary of unexpected login prompts or authentication requests, especially from unfamiliar websites or applications. 
2. Suspicious Financial Charges: Keep an eye on bank statements and credit card transactions for unauthorized or unusual transactions. If users find unfamiliar transactions, it could indicate that the user’s personal or financial information has been compromised through a quishing attack. 
3. Unfamiliar Apps: Pay attention to any new or unfamiliar apps that appear on the device, especially if they were not downloaded from an official app store. Quishing attacks may involve malicious apps that steal sensitive information or compromise device security. Users must be cautious when prompted to install apps from unknown sources like QR codes. 
4. Battery Drainage: Excessive battery drainage or unusually high data usage on a mobile device could indicate malicious activity, such as background processes running from a quishing attack. Users should monitor their device’s battery performance and data usage to identify any suspicious behavior that may indicate a security threat. 

Employees should notify their security teams as soon as they notice any warning signs to ensure swift action can be taken to investigate and mitigate potential security threats. Early detection and reporting of suspicious activity can help security teams respond effectively, minimizing the impact of potential security breaches. 

How to Protect Your Employees from Quishing

Mobile devices are the primary endpoint used to access corporate data, and 50% of personal devices have been exposed to a mobile phishing attack. What makes mobile devices an attractive target for these quishing attacks is not the data that resides on the device but the access they provide attackers. In a recent study, 78% of employees use their work devices for personal activities, increasing the risk of sensitive corporate data. 

So, how can individuals protect themselves? 

• If they see a QR code in an unexpected location, inspect the URL.
• Do not scan a QR code in an email or text message from unknown or unrecognized senders, especially if it requires users to act immediately. 
• Protect your phone and account by keeping the OS of your mobile device updated. 
• Never reuse passwords and use multi-factor authentication. 

By staying vigilant and acknowledging these warning signs, users can take proactive steps to identify and mitigate quishing attacks sooner rather than later. The best way to protect your employees from QR code attacks is to educate and reiterate the risks of using personal or corporate-owned devices. 

Organizations that cultivate a culture of awareness and proactive communication can enhance the overall security posture and protect against quishing. These best practices can help mitigate the risk of falling victim to quishing attacks and ensure that employees remain vigilant. Additionally, implementing robust security measures, such as multi-factor authentication and mobile threat detection solutions, can provide an extra layer of security and visibility against QR code attacks. 

How Zimperium Can Help 

Enterprise security teams can use Zimperium’s Mobile Threat Defense (MTD) as their mobile-first security solution. Zimperium MTD is a privacy-first application that provides comprehensive mobile device security for enterprises. It is designed to provide security teams with mobile vulnerability and risk assessments, valuable insights into the risk of mobile applications, and threat protection to protect corporate-owned and/or BYO (bring-your-own) devices from advanced mobile threats across device, network, phishing, and app risks and malware vectors. 

Zimperium’s MTD has a powerful built-in QR code scanner, ensuring employees can scan codes with precision and speed to identify associated URLs. Within seconds, the scanners detect if a URL leads to a malicious site, alerting the users and the security team or IT department. With flexible policies, administrators can swiftly block phishing links and other risky URLs associated with quishing scams before they become larger security issues. Zimperium is the only mobile-first security solution that uses an on-device dynamic detection engine to identify zero-day attacks on-device, ensuring device security even when offline and not connected to the network. 

Let us help your organization stay ahead of cybercriminals and safeguard sensitive information. For more information on better protecting yourself against quishing attacks, read our whitepaper here.