Quishing: A New Threat On The Rise

First Published:
Last Updated:

The Global State of Mobile Phishing Report recently released sobering findings about mobile phishing attacks. It noted that every quarter, over 50% of personal devices used by a company's employees were exposed to phishing. 

Reports of QR code phishing (or quishing) also grew seven-fold in Q2 of 2022. The most targeted industries include insurance, legal, financial, and healthcare. These industries are highly regulated because their data is more sensitive and valuable. This makes them good targets for cybercrime.

In addition, the Cofense Phishing Defense Center (PDC) reported a significant growth in quishing attempts since May 2023. Quishing campaigns shot up by over 270% month-to-month, and over 2,400% in total. 29% of emails targeting a range of industries contained malicious QR codes. 

This shows that businesses must be aware of the rising threat of quishing. So what is quishing? Let’s get to understand this new threat. 

For background sake, it’s important that we start by a quick understanding of QR code.

What is a QR code? 

Kaspersky defines a QR (quick response) code as a type of barcode that stores a lot of data. Devices can scan a standard barcode in one direction, from left to right. A standard barcode also has numbers only, therefore it contains a small amount of data.

A QR code, however, is decoded in two directions: top-bottom, left-right. This means it can carry much more data. It is not limited to numbers and can include up to 4,000 characters of text. QR codes can also carry phone numbers and website URLs. 

That said, QR codes as a technology are harmless. They can be used safely to authenticate logins, send and receive payments, access Wi-Fi, and more. Quishing is the act of using QR codes maliciously, which is becoming a worrying trend.

What is quishing? 

Quishing is the process of luring an end user to a fraudulent website through a QR code. A QR code can look legitimate, but once scanned, it opens a fake site that prompts users for sensitive information. 

The most common data that scammers gather from QR codes are login credentials and financial information. In some cases, the fake sites can distribute malware that steals company data through mobile devices. 

Quishing is difficult to detect because it moves an end user away from a more secure desktop, laptop, or email client to a smartphone. The McAfee 2023 Consumer Mobile Threat Report identifies bring-your-own-device (BYOD) policies as a key vulnerability. About 23% of mobile threats enter an organization through productivity apps which carry malware. 

For example, a scammer can convince employees to download a fake app through a QR code. The app may promise to boost battery performance or clean up memory space. Since these apps require numerous permissions to operate on the device, they can retrieve every kind of work-related data. 

The concept of Bring Your Own Devices is closely related to Shadow IT, a trend that could also create opportunities for criminals to launch quishing attacks.  Luckily there are excellent Shadow IT prevention tools that you can always deploy to counter this threat. 

Quishing vs. traditional phishing attacks

Cisco defines phishing as a counterfeit communication that appears to come from a reputable source. 

This communication can be via email or text message. It targets unsuspecting users and tricks them into taking action, e.g., downloading malware or giving login credentials. The aim of a phishing cyber attack is to steal money or data. 

Quishing shares similarities with traditional phishing, but there are some key differences: 

  • Quishing uses QR codes as its delivery method. Phishing involves fraudulent emails, websites, or text messages.
  • Quishing requires the end user to scan QR codes using their smartphone camera to open the malicious link. Phishing requires the end user to directly click links, download files, or enter their information into a fake website.
  • Quishing can occur in public spaces because QR codes appear on physical objects, e.g., posters, menus, etc. Phishing typically occurs in private as the end user browses the internet or checks their email. 
  • Quishing disguises the destination URL. Phishing exposes the malicious URL or sender's email address, making it easier to catch a scam. 
  • Quishing targets smartphone and tablet users, although malicious QR codes can be delivered through email. Phishing targets desktop, tablet, and smartphone users alike. 

Depending on the type of data you handle as well as the size of your organization, there are several types of threats that you need to be constantly aware of. Check these top cybersecurity threats from the «lenses» of experienced experts. 

If your company relies heavily on emails, and indeed many organizations do these days, please be guided by our breakdown of the various email attack types

How quishing works 

Quishing typically follows the steps below: 

  • A QR code is created using a legitimate tool or application.
  • The QR code can hold a legitimate-sounding offer, e.g., to update login credentials, get a discount, or sign up for a free product. 
  • The scammer then embeds a malicious link or command into the QR code, which redirects users to a fraudulent website or app. 
  • The link is disguised using a URL shortener to fool the end user. 
  • The QR code is distributed in various ways, e.g., on posters, flyers, emails, products, social media, or legitimate-looking websites.
  • Once an end user scans the QR code, the scammers collect their data. They can also hijack an email account to distribute more QR codes to the user's contacts. 

In many cases, quishing campaigns urge the end users to act quickly. One common tactic is to threaten that the user will be locked out of their accounts permanently, and they need new login details to prevent this action. 

Such threats also have a time limit, typically between 24 and 48 hours. The objective is to encourage the user to scan the QR code without questioning or verifying it first. 

In other cases, the emails, posters, or social media content hosting the QR code appear very convincing. For example, a scammer can use a company's corporate logos, fonts, and tone of voice to create an email layout or website. 

Such content usually claims to come from a bank, a cloud hosting site, or even a company's IT department. At a glance, the end user may believe that the QR code is authentic. However, the code contains a malicious link that compromises their data. 

Please make use of these best practices for preventing data loss

Recent examples of quishing campaigns

The first malicious attacks through QR codes occurred in September 2011. It was recorded in the Monthly Malware Statistics report by Kaspersky Labs. 

Russian cybercriminals used QR codes to direct victims to download trojans. The codes led to android apps like Jimm and Opera Mini. Unfortunately, these apps were fake and carried malware. 

The malware forced devices to send text messages to a premium service number. Each message cost the victim about $6, a steep price for an unintended subscription. 

Since then, quishing has become a popular avenue for hackers. The following are some more examples of quishing.  

1. Abnormal Security quishing attempts

In 2021, Abnormal Security intercepted and blocked over 200 emails sent to their clients. These fraudulent emails contained QR codes asking users to enter their Microsoft 365 credentials. 

The codes offered recipients a transcript of an encrypted voicemail. To see the transcript, users needed to log in to their Microsoft accounts.

The scammers had a legitimate Outlook account, enabling them to bypass email security detection. Their scam emails mimicked real Outlook features that the victims were familiar with. They also used Amazon and Google services to host the phishing websites.

Despite their benign look, these quishing emails showed other signs of fraud, e.g., suspicious content and compromised email accounts. A combination of these signs alerted Abnormal to their nature. The company stopped the messages from reaching their intended recipients. 

2. HP Wolf Security Chinese quishing campaign 

In November 2022, HP Wolf Security discovered a quishing campaign in the Chinese language. The fraudulent emails contained a Word document claiming that the recipient had received a government grant. 

The fake grant was a labor subsidy jointly issued by the Ministry of Finance and other administrative bodies. The recipient was required to scan the QR code using the WeChat messaging app. The link would then lead to a phishing website, where victims would fill out a form for «QR code authentication.»  

In this case, the attempt appeared legitimate because it had government logos and used formal language. It added a financial incentive, the fake grant, to encourage the victims to scan the code. It also informed recipients that they would miss out on the grant if they did not complete their applications within a week.

The website linked to the QR code was a fake version of an enterprise communication platform used in China. It then required victims to validate their accounts within 24 hours to access the grant. These credentials would be highly valuable to the scammers. 

3. Darktrace quishing interception

AI cybersecurity firm, Darktrace, intercepted a quishing attack on one of its clients in June 2023. Five senior employees in a tech company received malicious emails that appeared to come from their in-house IT department. 

The emails contained a QR code that asked for login credentials. The emails all came from different senders, but they had the following features: 

  • A sense of urgency: The emails contained the words «important», «urgent», and «required.» 
  • Two-factor authentication (2FA): The emails directly asked the recipients to set up 2FA to boost their credibility. 
  • Impersonation attempts: The email headers had «it-desk» and «IT» in their fake domain names to reduce the chance of a validation check. 
  • Hijacked domains: In some of the emails, the sender's domain name belonged to a recently-acquired business. This showed that the scammers had researched their targets comprehensively. 

The Darktrace team identified these quishing emails early and prevented them from reaching their clients. 

Signs of a fraudulent QR code

Quishing codes all have clear warning signs, but recipients must pay close attention to identify them. These include: 

  • A destination website filled with errors, e.g., spelling mistakes, poor quality images, and inferior website design 
  • A URL beginning with HTTP instead of HTTPS 
  • Shortened or unreadable URLs disguising the true destination site
  • Destination URLs requiring an action, e.g., entering credentials, resetting a password, or downloading an app 
  • Suspicious attachments, e.g., voice messages, receipts, faxes, or zip files. 

How to protect your organization from quishing attacks

We acknowledge that most companies have some form of email and device security in place. These include anti spam filters, email security gateways, and antimalware software. 

Unfortunately, these security controls focus more on desktops and laptops than mobile devices. Since quishing depends on end users to scan QR codes on their smartphones, employee training and awareness is the best way to shield against these attacks. 

As an organization, you can train staff about quishing in the following ways:

1. Quishing impacts

Employees must be aware of the risks involved in quishing, such as identity theft, financial losses, and ransomware. These risks can affect them as individuals besides risking the organization.  

2. Threat detection and reporting 

Educate employees about how to spot and report quishing attempts. There should be clear guidance on QR handling, whether they're within company emails or from outside environments. 

3. Source and destination verification 

Employees should use QR code scanners that allow them to preview the destination links. These apps should also display a confirmation before opening the links. 

This small feature protects end users from getting automatically redirected to malicious websites. Good examples of QR code readers we can recommend include raiders by Denso Wave and Kaspersky. 

4. Enforcing cybersecurity policies 

Refresh and upskill employees' knowledge of cybersecurity best practices. These include the importance of multifactor authentication (MFA), URL inspection techniques, and the ability to comprehend the latest social engineering tactics.

Technical Countermeasures to Combat Quishing Attacks

While employee training and awareness are crucial, they are not the only lines of defense against Quishing attacks. Organizations can employ a variety of technical solutions to identify and block these threats:

  • Content filtering algorithms can be developed to scan incoming emails for images resembling QR codes, flagging them for further inspection.
  • Regular expressions can be used to detect patterns in email content that may indicate a Quishing attempt.
  • Sandboxing techniques can automatically scan QR codes in a controlled environment to determine their legitimacy.
  • Additionally, Optical Character Recognition (OCR) can be used to read QR codes and apply existing URL filtering rules to the URLs they encode.
  • Hash matching can also be employed to compare incoming QR codes against a database of known malicious codes.

These technical countermeasures can work in tandem with user education to provide a multi-layered defense strategy against Quishing.

The COVID factor in accelerating quishing 

According to IRONSCALES, cases of QR code attacks among its clients grew by 453% between January and July 2023, compared to the same period last year. 

While quishing incidents seem to be accelerating at an alarming rate as the IRONSCALES case demonstrates, several IT and cybersecurity experts including here at IT Companies Network point to the Covid-19 pandemic as a contributing factor. 

Why the COVID factor? Many businesses adopted QR codes to enable low and no-contact interactions, such as restaurant menus, self-checkout systems, and digital wallets.

Further, governments across the world used QR codes for contact tracing during the pandemic. In the UK, for example, the National Health Service (NHS) integrated a QR code scanner to enable users to check into various venues. The app was closed down in April 2023. Other countries that implemented QR codes for contact tracing include Australia, Singapore, and China

From a cybersecurity perspective, it was only a matter of time until malicious actors took note of this trend and started to take advantage of QR codes. 

The adoption of QR codes in everyday life exposes individuals and businesses to quishing, giving hackers numerous opportunities for exploitation.

Danny 2 months ago #
Great article covering the various aspects of Quishing! I noticed that the focus is primarily on awareness and training. However, many in the tech community are looking for more immediate, technical solutions. For instance, some are using Kusto Query Language (KQL) to identify potential Quishing emails in Office365. What are your thoughts on implementing technical countermeasures like these, and do you think they can be effective in the absence of third-party solutions?
Joseph Harisson Joseph Harisson 2 months ago #
Hi, Danny. Thank you for your insightful question! We've recently added a section to the article that delves into various technical solutions, such as content filtering algorithms, regular expressions, and sandboxing techniques.

Using Kusto Query Language (KQL) queries, as you mentioned, is an excellent example of a technical approach to identify potential Quishing emails. It's a proactive measure that can flag suspicious emails for further inspection, thereby reducing the chances of a successful attack. Here's a sample KQL query that could be used for advanced hunting:

  1. EmailEvents
  2. where Timestamp > ago(7d)
  3. where AttachmentTypes has "image" or AttachmentTypes has "png" or AttachmentTypes has "jpg"
  4. extend isSuspicious = iif(Subject has "urgent" or Subject has "action required", 1, 0)
  5. where isSuspicious == 1
  6. project RecipientEmail, SenderEmail, Subject, AttachmentNames, Timestamp

However, I want to highlight that no single measure is foolproof. A multi-layered defense strategy that combines technical countermeasures with robust training and awareness programs is often the most effective way to combat Quishing.

I hope this answers your question, and I appreciate your input, which adds another layer of depth to this important discussion.
Our site uses cookies