Be careful what you scan: QR scams increase by 51%


Threat actors are using malicious QR codes to steal valuable data and money. Experts say it’s still difficult to detect and mitigate the threats spread by this method.

So-called ‘quishing’ (QR code-based phishing attacks) often overlaps with the standard phishing playbook. A victim gets an email from a supposedly trustworthy sender urging them to scan an embedded QR code, warning about consequences if the recipient doesn't comply.

Quishing emails often imitate the branding and identities of real companies or banks. In some cases, there's not even a need for mimicking – attackers may already have compromised an organization's email account, enabling them to send messages from a legitimate domain.

QR-code scanning apps often display the encoded link before asking the user whether they want to navigate to it. Quishing attackers work around this by redirecting the scanner to trusted domains of legitimate services or to typo-squatted URLs.

ADVERTISEMENT

Surge in QR code attacks

A customer incidents analysis by ReliaQuest revealed a 51% surge in quishing occurrences in September 2023, a marked increase from the yearly average.

The cybersecurity firm suggests that the rise in QR code scams may be linked to the growing number of smartphones equipped with built-in QR code scanners or free scanning apps. Users often scan codes without considering their legitimacy, contributing to the problem.

The most popular quishing scenario in the past 12 months was the Microsoft two-factor authentication (2FA) reset or enablement, occurring in 56% of quishing emails.

Targets were sent emails that spoofed Microsoft security notifications. Inside, a PNG or PDF file was attached, asking a user to scan a QR code. If a user were to follow the email instructions, they would be redirected to a phishing page designed to steal their credentials.

Online banking pages were used to trick victims in 18% of phishing attacks. QR codes redirected visitors to fake websites, where visitors were encouraged to enter their personal banking credentials.

In 12% of the incidents, the attacker hid the QR code in a PDF or JPEG file attached to the email. Threat actors try to avoid email filters by sending messages with a harmless or empty body since these filters primarily examine clickable elements.

Although QR code phishing is still a relatively new method, it’s expected to become more complex and widespread because it’s a difficult threat to detect.

ADVERTISEMENT

ReliaQuest analysts say that references to quishing on prominent cybercriminal forums in 2023 have already surpassed the total figure for 2022. Analysts at the cybersecurity company Cofense reported a 2400% increase in malicious QR codes in emails since May 2023.

Staying safe

For users:

  • Don’t scan QR codes received from strangers
  • Even if a message is from someone you know, first check if your contact has actually sent you the code before clicking on it
  • If a message comes from a government agency, call or email it directly to make sure it is legitimate
  • Some antivirus software comes with a QR-scanning functionality – it will prevent you from downloading malicious software
  • Do not enter any personal details or other sensitive information into websites you don’t know

For managers:

  • If you manage a company’s network, educate staff and conduct regular phishing simulation exercises, including quishing.
  • Implement email inbox rules that highlight messages from external senders, to help flag potentially malicious emails to employees.
  • Block or flag emails that contain no body text.
  • Use multifactor authentication (MFA)