Quishing, QR Code Phishing is Here

In my blog post, I look at the rising use of Quishing as a tactic, what it is, and the techniques organisations and individuals can use to reduce the risk of becoming a cyber victim.

What is Quishing? Quishing merges “QR code” and “phishing.” Here’s how it typically unfolds.

Spot deceptive emails: Quishing attacks often commence with persuasive emails that appear urgent or critical. These emails may impersonate trusted sources, such as HR departments, financial institutions, technology suppliers or government agencies, and typically contain a QR code.

A QR code is added for you to scan conveniently: The email instructs you to scan the QR code for various purposes, such as updating your account, verifying your identity, or confirming a transaction or required action they want you to take to provide access.

Using a Captcha Ruse to create credibility: You may be directed to a counterfeit webpage featuring a Captcha verification step after scanning. This is a tactic aimed at making the scam appear more legitimate.

Expertly copied, the difference between the actual login page and a phishing page continues to shrink: Clicking the Captcha often leads you to a fake login page that mimics a genuine service, such as your email, vendor portal or bank account. Here, cybercriminals aim to steal your login credentials.

How to shield yourself from Quishing

Here are steps you can take to fortify your defences:

Inspect the Email: Scrutinise the sender’s email address with care. For example, if you receive an email purportedly from your vendor or bank but it emanates from a suspicious address like “bankupdate@gmail.com” instead of “info@yourbank.com,” exercise caution as it’s likely a phishing attempt.

QR Code Vigilance: If you get an email from an unfamiliar source requesting you to scan a QR code for a “free prize,” consider it a potential threat. Always validate such requests through a trusted channel, like contacting the company directly.

Captcha Caution: Be wary of Captcha pages that pop up post-scanning a QR code. Legitimate websites seldom employ Captchas in this manner. For instance, if you scan a code and encounter a Captcha that asks you to solve math problems or decipher distorted text, it’s probably a scam.

Verify the Website: Before entering any login credentials, carefully scrutinise the website’s URL. Watch for misspellings, unusual domain names, or irregularities in the web address. For instance, a phishing site might possess a URL like “yourbank-login.com” instead of the legitimate “yourbank.com.”

Report Suspicious Emails: If you receive an email that raises suspicion, promptly report it to your organization’s IT department or utilise email reporting tools. Swift reporting can thwart further attacks.

Quishing is a shrewd and ever-evolving phishing technique that exploits our trust in QR codes and email communications. By grasping its modus operandi and maintaining a vigilant stance, you can safeguard yourself against falling prey to this emerging menace. Constantly scrutinise emails, QR codes, and websites, and promptly report any dubious activity to the relevant authorities.

Where digital security falls on everyone’s shoulders, awareness and caution are our strongest allies in the battle against Quishing and other cyber threats.

Blog Contributor, Clay. BIT Security’s SME for Phishing Security

If you are looking for advice on technology, processes or skills to defend your digital operation, contact our team using our Contact Us page link below.

Contact us – BIT Security (thinkbitsecurity.co.uk)