Users need to aware of quishing attacks.

Cybercriminals are using QR codes to still credentials. (Image – Shutterstock)

Quishing attacks on the rise

  • Quishing is a phishing attack targeting users who scan malicious QR codes. 
  • Cybercriminals are also targeting employees in via malicious QR codes in emails. 

Quishing is the latest phishing method being used by scammers and cybercriminals on unsuspecting users. Over the years, scammers continue to find ways to trick victims into sharing and exposing their credentials as well as stealing their funds.

While email remains the number one phishing method, there have also been increasing cases of smishing and quishing. A social engineering attack, smishing campaigns involve the use of fake mobile text messages to trick users into downloading malware, sharing sensitive information, or sending funds to cybercriminals.

Quishing is a phishing attack whereby a QR code is used by a cybercriminal or scammer to trick and manipulate users. Quishing victims normally end up scanning a QR code that redirects them to a website that either downloads malware or steals their sensitive information.

In Southeast Asia, quishing is becoming a frequently common problem with more victims being recorded. The Cyber Security Agency of Singapore (CSA) as well as the police have already issued public alerts on the prevalence of such scams which has already seen some falling victim to it.

In May this year, the Singapore Straits Times reported that a 60-year-old Singaporean had lost SG$ 20,000 after she scanned a  QR code on the sticker for a free cup of tea. Upon scanning the QR code, the victim downloaded a third-party app onto her Android phone and completed a survey.

Unfortunately, by the time she realized something was not right when her mobile phone seemed to be lit up, the scammers had already transferred the funds out from her bank account. This is just one of the many cases of quishing that have been occurring not just in Singapore but in other countries as well.

Quishing attacks are increasing.

A Tweet explaining how one should be aware of quishing.

How do quishing attacks work?

As the name indicates, quishing attacks are cyberattacks that occur via the scanning of a QR code. While victims are normally those who end up scanning malicious codes posted over actual codes and such, quishing attacks can also occur via emails.

According to Egress, a cloud email security platform provider, quishing attacks can bypass traditional defenses like secure email gateways that scan malicious links and attachments. When a QR code is embedded into an email, the secure email gateways end up classifying quishing emails as harmless. The emails would then end up being delivered to the inbox.

A victim receiving the email may be prompted to access the QR code via their mobile camera to open the browser. This leads them to a phishing site and the victim will end up having their credentials stolen during login.

Most quishing victims end up losing money but there have been also cases of victims having their credentials stolen and used to access sensitive data.

Darktrace, another cybersecurity vendor, detected such an attack when five of its senior employees were sent malicious emails impersonating the company’s IT department. The emails, which contained a QR code to harvest credentials were fortunately thwarted by Darktrace in the first instance and the emails never reached the targeted inboxes.

Darktrace also stated that the campaign used novel tactics and techniques before being detected. The attack is another indication of how the attack landscape is moving to target more victims through more sophisticated methods.

Quishing attacks can also come through emails.

Users to be vigilant when scanning QR codes. (Image – Shutterstock)

Scan QR codes responsibly 

As always, be it smishing or quishing, it all comes down to the users. Basically, employees and members of the public need to be more aware when scanning QR codes, be it for payment, registration or even receiving funds. Cybercriminals will only continue to find ways to make use of QR codes to launch more sophisticated attacks. However, as users, verifying the QR code is always the first step in protecting oneself.

Businesses need to ensure employees are aware of such codes in emails and not simply scan them. Humans have always been the weakest link in cybersecurity and will most likely continue to be so unless caution is exercised.

The following steps can also be practiced when scanning QR codes:

  • Be sure to verify the URL after scanning a QR code to ensure that it is the intended website and appears genuine.
  • Always exercise caution when entering personal details, especially financial information on a site accessed via a QR code.
  • If unsure of how to make a payment via a QR code, a user can always make a payment through a trusted URL instead.
  • Requests that seem odd or come with treats should be reported or double-checked with a secondary source.
  • Some companies suggest downloading their apps via a QR code. Users can instead search for it on the phone’s app store and download it from there.