What is a QR phishing (‘quishing’) attack?

Cybercriminals have become increasingly skilled and sophisticated in their tactics, making it harder for individuals and organizations to detect and prevent quishing attacks.
by James Dyer
Published on 6th Dec 2023

Phishing attacks have been the most persistent and widespread form of cybercrime for decades, but cybercriminals' tactics and methods are continually evolving. In the past, attacks were simpler and easier to spot. However, as technology has advanced, cybercriminals have become more sophisticated in their methods, making their attacks harder to detect.

Attackers keep up to date with the latest news and technological trends, so they can weaponize this information and tailor their phishing attacks accordingly. As a result of the resurgence of QR codes, ‘quishing’ attacks have risen in popularity in recent years. These attacks use a QR code to lead victims to a fake website.

In this article, we'll explore the concept of quishing attacks in depth, including how they work, common techniques used by attackers, and best practices for avoiding falling victim to them. For a broader introduction to the topic of phishing, take a read of Ultimate Guide to Phishing.

What is a quishing attack?

QR codes, which stand for ‘quick response’ codes, were first invented in 1994. However, their use was limited until the outbreak of COVID-19. Since then, QR codes have experienced a resurgence in popularity thanks to them offering touch-free access to information. Unfortunately, cybercriminals have also recognized the opportunity.

The word ‘quishing’ is a merging of ‘QR’ and ‘phishing’, and in a quishing attack, cybercriminals will use a QR code to direct traffic to a fraudulent website. Once on the website, cybercriminals can use social engineering techniques to manipulate users into giving away personal information or financial details, or download malware.

Quishing attacks have become popular with cybercriminals because they can bypass traditional defenses like secure email gateways (SEGs), which scan for known malicious links and attachments. By embedding a QR code in an email, they often classify quishing emails as harmless since they cannot detect the embedded image. As a result, these emails would be delivered directly to the inbox.

How does quishing work?

Quishing attacks need the QR code itself before they can be delivered to the victims (usually via email). These days, it is relatively easy for a cybercriminal to create a QR code and link it to a phishing website. The QR code is then embedded within a phishing email that claims the victim must access some information by scanning the code.

For example, a common tactic is to invite people to access an encrypted voice message via a QR code. The victim then uses their phone camera to access the QR code and open their browser, which takes them to a phishing website. At this point, a site pop-up might ask the victim for their login credentials, which can be harvested and sold or used directly to launch further attacks.

Because new QR codes can be made quickly, it’s unlikely they’ll be reused, recognized, and caught by a secure email gateway’s (SEG) blocklist. Consequently, quishing can be classified as a zero-day attack and due to limitations in SEGs’ detection capability, organizations need an integrated cloud email security (ICES) solution, such as Egress Defend, to analyze other markers within the emails and detect these advanced attacks.

Defend analyzes the threat potential of each email based on a variety of markers, including history with that address, linguistic analysis, email authentication details and the presence of QR codes. Emails that contain QR codes will have a descriptor on the Defend summary page warning users to be careful when entering personal and confidential details into a website accessed via a QR code. When malicious code in an email is detected, it is automatically disabled by Defend.

Quishing: how does it differ from smishing and vishing?

Quishing, smishing, and vishing are all examples of social engineering cyberattacks where cybercriminals use deception to trick their victims into performing an action – such as transferring funds, paying fake invoices, or disclosing login credentials. These attacks frequently employ similar social engineering tactics, such as:

  • Urgency: Cybercriminals often create a sense of urgency to pressure their victims into acting quickly and without thinking things through.
  • Plausibility: If the request resembles something the victim does regularly or is associated with a current trend, they may perform it unconsciously.
  • Familiarity: Spear phishing and impersonation attacks can be customized to the target and often claim to be from an authority figure or a trusted source.
  • Confidentiality: Victims are often asked to keep the requested action quiet, in turn making it less likely to be recognized as a cyberattack.

Although these attacks may use similar methods, the difference between quishing, phishing, smishing, and vishing lies in how the attack is delivered.

  • Phishing attacks are delivered via email
  • Smishing attacks are delivered via SMS
  • Vishing attacks are delivered via a phone call
  • Quishing attacks are delivered via a QR code

Detecting and stopping quishing attacks

Organizations can focus on awareness to help employees prepare for these attacks. Teach your users to follow the steps below to ensure that they interact with QR codes safely.

  • After scanning a QR code, verify the URL to ensure that it is the intended website and appears genuine.
  • Exercise caution when entering personal, financial, or login information from a site accessed via a QR code.
  • Avoid making payments through a site accessed through a QR code; instead, manually enter a known and trusted URL to complete the transaction.
  • Be wary of unusual and urgent requests, particularly if they come with threats.
  • Do not download an app directly from a QR code; instead, search and download it from your phone's app store.

People, however, will always make mistakes and you can’t solely rely on their ability to spot advanced phishing attacks. To further protect against the risk posed by QR codes, it’s vital for organizations to deploy an ICES solution such as Egress Defend. As a result, there will be a decreased chance of successful attacks, but also an increase in security awareness through Defend’s contextual banners that offer real-time teachable moments.

By raising awareness of the QR code interaction guidelines above, organizations can help their employees identify and handle quishing attempts before attackers steal valuable data. However, businesses should augment their defenses with an ICES solution such as Egress Defend, that alerts users to potential risks before they click and can block visits to phishing websites.

Traditional anti-phishing solutions, including SEGs, often rely on recognizing known payloads to detect phishing attacks. However, ICES solutions like Egress Defend use intelligent algorithms to analyze the content and context of emails. By detecting the presence of a QR code and signs of a compromised account or suspicious sender behavior, these solutions can more effectively stop quishing attacks.