Threat researchers have recently witnessed a rise in cybercriminals using email-based quishing attacks to target users. At least one quishing campaign appears to be large-scale, long-running and dynamic, based on attack cadence and variations in the lures and domains the messages use.
What Is Quishing?
Quishing, also known as QR code phishing, involves the victim scanning a QR code (typically received via email). This QR code will direct the victim to a fraudulent website that could install malware or attempt to steal your credentials.
A QR code, or quick response code, is a square barcode that compatible mobile device cameras can read. When a user scans a QR code, it often opens a webpage, although it could also trigger a phone call, text message or digital payment. The QR code is used to avoid traditional malicious email filtering and as a method to force a user to move from a desktop or laptop to a mobile device, which may have weaker anti-phishing protections.
Evidence suggests quishing attacks have increased since the beginning of the COVID-19 pandemic when a growing number of legitimate organisations started using QR codes to enable low-contact transactions. Some restaurants, for example, link QR codes to online menus, rather than providing diners with hard copies. Digital wallets use QR codes to facilitate contactless payments. As users have become increasingly accustomed to interacting with QR codes in daily life, quishing opportunities have increased.
While phishing attacks are often dismissed as unsophisticated, studies and anecdotal evidence suggest that phishing is among the most effective and cost-effective means for carrying out network intrusions. With 3.4 billion spam/phish emails sent every day, according to AGG IT Services, and one in four people reporting they have clicked on a phishing email at work, according to Tessian, phishing attacks and the damage a successful one can cause are often underestimated.
Stay Safe From Quishing Attacks
As with any type of phishing, the best defence against quishing attacks is being able to recognise and distinguish legitimate emails from the malicious ones. Ensure you’re up to date on your security awareness training, report suspicious emails you receive using our Outlook add-in, and follow best practices:
- Never scan a QR code from an unfamiliar source.
- If you receive a QR code from a trusted source via email, confirm this is legitimate via a separate communication method. For example, Microsoft Teams.
- Stay alert for typical red flags, such as a sense of urgency and appeals to your emotions (sympathy, fear, etc).
- Observe good password hygiene by changing your account password frequently and never using the same password for more than one account.
Sources:
Recent Comments