Aka, Quishing. But what exactly is quishing, and why should we be concerned about it?
Consider the QR code aired during a sporting event. Now, imagine the company behind that commercial had malicious intent. For instance, the QR code displayed during the ad opened your phone’s browser and automatically downloaded and installed a piece of ransomware. Given the number of people who watch the sporting events, the outcome of that attack could have been disastrous.
This is quishing in a nutshell. It’s all about fooling a person (or a number of people) into thinking something is harmless (or necessary), but the true intent is far from innocent. The goal is to access your information, steal your bank account credentials, and more.
The Ubiquity of QR Codes and the Problem That Presents
QR codes are everywhere: in restaurants, mass transportation, commercials, signs, walls, bathrooms, advertisements, and even companies ship their products with QR codes so consumers can access manuals on their phones.
We’ve all just accepted the QR code. And, to that end, we trust them. After all, how harmful can a simple QR code be? The answer to that question is…very. And cybercriminals are counting on the idea that most consumers always assume QR codes are harmless. Those same criminals also understand that their easiest targets are those on mobile phones. Why? Because most desktop operating systems include phishing protection. On the other hand, phones are far more vulnerable to those attacks.
The Modus Operandi of Quishing Attacks
At the moment, most quishing attacks involve criminals sending a QR code via email. Most often, these emails act as a call out for users to verify their accounts, insisting that the user in question must act within a certain time frame, or their account will be locked or closed. The idea is that users would see the QR code in their desktop email and scan it with their phone. Once scanned, the QR code would wreak havoc on the device.
Of course, that’s not the only way a threat actor could use a QR code to dupe people into falling for their scam. QR codes are everywhere. What’s stopping a cybercriminal from plastering QR codes everywhere, knowing some innocent bystander would scan the code to unleash whatever attack was planned?
How Can You Protect Yourself?
The simplest thing you can do is not scan QR codes…especially those from unknown sources. The only time you should ever scan a QR code is after you have verified the source. Even then, you should only scan it if I absolutely have to.
If you receive an email with a QR code, the first thing you should do is verify the validity of the sender. For example, if you receive an email with a QR code that purports to be from Company X, but you look at the sender’s email, and it’s from Gmail or some random (unknown) domain, chances are that’s a quishing attack.
The best advice is that any QR code in an email should never be scanned. Legitimate companies will always send instructions on doing whatever you need to do. And most companies are certainly not going to send a QR code so you can verify your account. As for the random QR codes you encounter in the world? Just don’t. If you allow your curiosity to get the best of you, you might not enjoy the consequences.
Unless you are 100% certain of the source of a QR code, never scan it with your phone.