What is a quishing attack?

Cybercriminals have become increasingly skilled and sophisticated in their tactics, making it harder for individuals and organizations to detect and prevent quishing attacks.
by James Dyer
Published on 26th Apr 2023
Quishing 3 Hero

Phishing attacks have been the most persistent and widespread form of cybercrime for decades, but cybercriminals' tactics and methods are continually evolving. In the past, attacks were simpler and easier to spot. However, as technology has advanced, and more people go online, cybercriminals have become more sophisticated in their methods, making their attacks harder to detect.

Despite the changes in delivery and tactics, the core principles of phishing attacks have remained largely unchanged over time, with the primary objectives being to gain access to sensitive credentials or data, obtain fraudulent payments, or infect systems with malware. The evolution lies in the ways cybercriminals present and deliver phishing attacks.

Attackers have become increasingly skilled and sophisticated in their tactics, making it harder for individuals and organizations to detect and prevent them. They also keep up to date with the latest news and technological trends, so they can weaponize this information and tailor their phishing attacks accordingly. As a result of the resurgence of QR codes during the COVID-19 pandemic, ‘quishing’ attacks have risen in popularity in recent years. These attacks employ a QR code to lead victims to a fake website.

In this article, we'll explore the concept of quishing attacks in depth, including how they work, common techniques used by attackers, and best practices for avoiding falling victim to them. For a broader introduction to the topic of phishing, take a read of Ultimate Guide to Phishing to answer questions like ‘What is phishing?’.

What is a quishing attack?

QR codes, which stand for "quick response" codes, were first invented in 1994. However, their use was initially limited until the outbreak of COVID-19. Since then, QR codes have experienced a resurgence in popularity thanks to them offering touch-free access to information without typing in a web address. Unfortunately, cybercriminals have also realized an opportunity.

The word ‘quishing’ is a merging of ‘QR’ and ‘phishing’, and in a quishing attack, cybercriminals will use a QR code to direct traffic to a fraudulent website. Once on the website, cybercriminals can use social engineering techniques to manipulate users into giving away personal information or financial details.

Quishing attacks have become popular with cybercriminals because they can bypass traditional defenses like secure email gateways (SEGs), which scan for known malicious links and attachments. By embedding a QR code in an email, they often classify quishing emails as harmless since they cannot detect the embedded image. As a result, these emails would be delivered directly to the inbox.

How does quishing work?

Quishing attacks need the QR code itself before it can be delivered to the victims (usually via email). These days, it is relatively easy for a cybercriminal to create a QR code and link it to a phishing website. The QR code is then embedded within a phishing email that claims the victim must access some information by scanning the code. For example, a common tactic is to invite people to access an encrypted voice message via a QR code. The victim then uses their camera to access the QR code and open up their browser, which takes them to a phishing website. At this point, a site pop-up might ask the victim for their login credentials, which can be harvested and sold or used directly to launch further attacks.

New QR codes can be made quickly, meaning it’s unlikely they’ll be reused, recognized, and caught by a SEG’s blocklist. Consequently, quishing can be classified as a zero-day attack and due to the nature of SEGs, organizations need an integrated cloud email security (ICES) solution, such as Egress Defend, to analyze other markers within the emails and detect these advanced attacks.


Privsec Ransomware


Best Practices for Detecting, Preventing and Recovering from Ransomware

Watch now

Quishing: how does it differ from smishing and vishing?

Quishing, smishing, and vishing are all examples of social engineering cyberattacks where cybercriminals use deception to trick their victims into performing an action – such as transferring funds, paying fake invoices, or disclosing login credentials. These attacks frequently employ similar social engineering tactics, such as:

  • Urgency: Cybercriminals often create a sense of urgency to pressure their victims into acting quickly and without thinking things through
  • Plausibility: If the request resembles something the victim does regularly or is associated with a current trend, they may perform it unconsciously
  • Familiarity: Spear phishing and impersonation attacks can be customized to the target and often claim to be from an authority figure or a trusted source
  • Confidentiality: Victims are often asked to keep the requested action quiet, in turn making it less likely to be recognized as a cyberattack

Although these attacks may use similar methods, the difference between quishing, phishing, smishing, and vishing lies in how the attack is delivered.

  • Phishing attacks are delivered via email
  • Smishing attacks are delivered via SMS
  • Vishing attacks are delivered via a phone call
  • Quishing attacks are delivered via a QR code

Detecting and stopping quishing attacks

Organizations can focus on awareness to help employees prepare for these attacks, including offering the advice below. However, where there are people, there will be mistakes. It is vital for organizations to deploy an ICES solution such as Defend to decrease the chance of successful attacks, as well as increase security awareness through contextual banners that offer real-time teachable moments.

  • After scanning a QR code, verify the URL to ensure that it is the intended website and appears genuine
  • Exercise caution when entering personal, financial, or login information from a site accessed via a QR code
  • Avoid making payments through a site accessed through a QR code; instead, manually enter a known and trusted URL to complete the transaction
  • Be wary of unusual and urgent requests, particularly if they come with threats
  • Do not download an app directly from a QR code; instead, search and download it from your phone's app store

By raising awareness of these guidelines, organizations can help their employees identify and handle quishing attempts before attackers steal valuable data. However, businesses should augment their defenses with an ICES solution such as Egress Defend, that alerts users to potential risks before they click and can block visits to phishing websites.

Malicious QR codes alone are ineffective without a delivery mechanism, which, in many cases, is email. Therefore, preventing quishing attacks requires identifying and neutralizing the malicious emails that contain the QR codes.

Traditional anti-phishing solutions, including SEGs, often rely on recognizing known payloads to detect phishing attacks. However, ICES solutions like Egress Defend use intelligent algorithms to analyze the content and context of emails. By detecting signs of a compromised account or suspicious sender behavior, these solutions can more effectively stop quishing attacks.