Quishing: The Scam You (Probably) Haven’t Heard Of

Cybercriminals are getting craftier. Quishing is the latest threat you need to watch out for.

Quishing is QR (quick response) phishing, and unlike traditional phishing—or traditional traditional fishing—quishing uses QR codes to trick you into visiting malicious websites or downloading harmful content.

Unfortunately, quishing attacks are rising—and quickly. QR code phishing has increased from just 0.8% of all cyberattacks in 2021 to nearly 11% in the first half of 2024.

What Is Quishing?

Quishing involves attackers creating QR codes that redirect victims to malicious websites. These codes can be embedded in emails, social media posts, printed materials, websites, or physical locations like restaurants, medical offices, or bus stops.

The pandemic led many businesses—particularly restaurants—to transition to QR codes for customers to access menus, check in for appointments, or even pay for purchases.

More than one-third of smartphone users scan at least one QR code per week, and almost 90% of all consumers have scanned a QR Code at least once in their lives.

QR codes are no longer a novelty. They’ve become a significant part of our lives. Scanning a QR code while shopping or eating at a restaurant wouldn’t be out of the ordinary.

And it wouldn’t be strange to see a QR code in an email. Receiving an email requesting to scan an embedded QR code to access a document or reset your password is unlikely to raise any red flags—and attackers are taking advantage of this.

How Quishing Works

1. Creation and Distribution: Attackers create a QR code linked to a malicious website. This QR code looks entirely legitimate. It can be created easily with free online tools, making it a low-cost but highly effective weapon for cybercriminals.
2. Enticement: The QR code is then shared through various channels. Attackers use social engineering techniques to entice victims. They may promise a free gift, a discount, or urgent action required, such as verifying account details. These QR codes can appear in phishing emails, social media posts, printed flyers, or posters in public places. By appearing in familiar and trusted contexts, they catch victims off guard.
3. Scan and Redirect: Once the victim scans the QR code, they are redirected to a malicious site. These sites are designed to look trustworthy, often mimicking legitimate websites. Victims might be prompted to enter sensitive information like login credentials, financial details, or personal data. Alternatively, the site could automatically initiate a download of malware onto the victim’s device. This malware can steal data, monitor activity, or give attackers remote access to the victim's system.

Real-World Examples

Quishing attacks can appear in various forms, targeting individual citizens and specific organizational roles in a company.

Phishing Emails

Phishing emails with embedded QR codes are particularly dangerous. These emails often masquerade as legitimate communications from trusted sources, such as banks, service providers, or internal departments.

For example, an employee might receive an email that appears to be from the IT department, urging them to scan a QR code to access a secure message or update their login credentials.

Why is this a threat to organizations?

• Increased Credibility: When a phishing email appears to come from within the organization or a trusted service provider or partner, employees are more likely to trust and act on it without hesitation.

• Data Breach Risks: Once the QR code is scanned, the malicious site can prompt employees to enter sensitive information—often login credentials—which can then be used to infiltrate the organization's network.

• Malware Distribution: The malicious site might also initiate the download of malware, compromising the security of the employee's device and potentially the entire network.

An email might claim an important update regarding the company’s benefits program. Once scanned, the QR code in the email redirects the employee to a fake login page that looks exactly like the company’s HR portal. The employee, thinking it is a legitimate request, enters their credentials, which are then harvested by the attackers.

From an organizational standpoint, every employee is a potential quishing target. However, members of the C-suite are 42 times more likely to receive a QR code phishing attack than a non-executive employee.

Public Places

QR codes are also placed in public locations like restaurants, public transportation ads, or bulletin boards—places where you would typically find QR codes. These are designed to target a broad audience.

An unsuspecting individual scanning the QR code on the table of a restaurant expecting a menu might be redirected to a malicious website that either collects personal data or installs harmful software on their device.

Fake Promotions

Attackers create QR codes promising free gifts, discounts, or other enticing offers. These codes might be found on posters, flyers, or online advertisements. When scanned, they lead victims to malicious websites designed to steal personal information or install malware.

Why Quishing Is So Dangerous

Quishing poses a unique threat because QR codes are just images. They bypass the traditional security measures that focus on scanning text-based links for malicious activity.

Once a QR code is scanned, the user is exposed to immediate risk without any preliminary warnings from their security software. Unlike conventional email threats that contain detectable text and URLs, quishing attacks use minimal text and no obvious links.

This lack of typical signals makes it difficult for many security tools to identify and block these threats. By embedding malicious links within QR codes, attackers effectively evade standard email security.

Protecting Yourself from Quishing

Quishing attacks are deceptive and can easily bypass traditional security measures. To safeguard yourself from these sophisticated threats, it's important to be aware of the dangers of malicious QR codes. Some tips on protecting yourself:

• Verify the Source
  Always check the legitimacy of the source before scanning a QR code. Be cautious of codes in unsolicited emails. When you are in a public place and see a QR code, verify that the code was not tampered with, altered, or covered (like with a sticker) in any way. If something feels off, it's better to err on the side of caution.

• Inspect the URL
  If possible, verify the URL associated with the QR code before visiting it. Some QR code scanner apps allow you to preview the URL, helping you avoid malicious sites.

• Make Sure Your Email Security Is Up to the Task
  It’s likely that your email security solution isn’t capable of decoding and analyzing QR codes. Advanced security tools can detect and neutralize threats hidden in QR codes, providing an essential layer of protection against quishing attacks. It's vital to use security software that can keep up with cybercriminals' evolving tactics.

Following these steps can significantly reduce the risk of falling victim to quishing attacks. Stay informed, stay cautious, and ensure your security measures are up to date to protect yourself and your organization from this emerging threat.

Quash Quishing with Some Help from HBS

Please stay vigilant. Quishing is a growing threat that preys upon our trust in QR codes. By being cautious and not mindlessly scanning any QR code in our sight, we can protect ourselves from becoming victims.

If you’re not confident that your email security can stop quishing attacks, reach out to our security experts at HBS.

Similarly, if you want help educating your organization about the dangers of quishing, phishing, smishing, or any other cybersecurity threat, HBS is here to help. Contact us today.