Contact us: +45 32 67 26 26

What Is Quishing (QR Code Phishing)? Think Before You Scan

Søren Lassen Jensen
By: Søren Lassen Jensen Cyber Security | 9 February

Quishing is the new phishing. A deceptive tactic that combines QR codes with phishing. This kind of phishing, also known as QR code phishing, capitalizes on the widespread use of QR codes for various purposes. In this blog post, we'll delve into what quishing is, how it works and most importantly, how you can make your colleagues aware of this practice and defend your organisation.

QR codes are used everywhere

QR codes are an integral part of modern life, they are used across various industries and applications for their convenience and efficiency. From contactless payments to marketing campaigns, event ticketing to restaurant menus, QR codes offer a an easy way of accessing information or performing transactions with a simple scan using your smartphone camera. However, this widespread adoption also presents an opportunity for cybercriminals to exploit the inherent trust placed in QR codes for malicious purposes. 

What is Quishing?

Quishing, derived from "QR" (Quick Response) codes and "phishing," refers to a sophisticated form of cyber attack that exploits the trust associated with QR codes to deceive individuals into revealing sensitive information or performing malicious actions. Cybercriminals craft deceptive QR codes that lead unsuspecting victims to malicious websites or initiate harmful activities. 

How does quishing work?

Quishing usually work by stealing your data or by making you download malicious content. Quishing typically follows a sequence like this:

  1. Creation of Deceptive QR Codes: Cybercriminals meticulously design QR codes that closely mimic legitimate ones, making them virtually indistinguishable to unsuspecting users.
  2. Social Engineering Tactics: Employing various social engineering techniques, attackers lure victims into scanning the malicious QR codes. This could involve enticing offers, urgent alerts, or other persuasive scenarios.
  3. Redirect to Malicious Content: Upon scanning, the victim is redirected to a fraudulent website or landing page that masquerades as a legitimate one. This may include fake login portals, phishing forms, or sites designed to distribute malware.
  4. Data Harvesting: Once on the malicious site, unsuspecting victims may unwittingly give out sensitive information, such as login credentials or personal details, which are then harvested by cybercriminals for malicious purposes.

Different Kinds of Quishing Attacks

Here are some of the typical attacks that are performed with QR code phishing 

  • Credential Harvesting Quishing: Targets user credentials by leading victims to counterfeit login pages, aiming to steal sensitive information. 
  • Malware Distribution Quishing: Initiates the download of malware onto the victim's device upon scanning the QR code, potentially compromising the device's security and integrity. 
  • Information Gathering Quishing: Deceives users into providing sensitive information through deceptive forms on malicious websites, which can be exploited for various malicious activities. 

What can you do about QR code phishing?

The best thing you can is to encourage your employees to just not to scan any QR codes, especially if they don’t know where they’re from and if they found it in in a random place. Encouraging your employees to stay aware against QR code phishing requires proactive measures and ongoing awareness efforts, here are some thing you can do to train your employees and increase awareness of quishing: 

Train your emplyees in quishing: Provide awareness training sessions to educate employees about the risks associated with QR code phishing. Explain how cybercriminals can exploit QR codes to redirect users to malicious websites or initiate phishing attacks. 

Demonstrate Examples: Use real-life examples to demonstrate how QR code phishing works and the potential consequences of falling victim to such attacks. Show your employees different scenarios and highlight red flags to watch out for. 

Promote QR Code Awareness: Encourage employees to be cautious when scanning QR codes, especially those received via email, text messages, or unknown sources. Emphasize the importance of verifying the source and legitimacy of QR codes before scanning them. 

Regular Reminders and Updates: Keep security awareness top of mind by sending regular reminders, updates, and tips related to QR code phishing and other cybersecurity threats.You can e.g. use newsletters and posters to reinforce key messages. 

By implementing these strategies and fostering a culture of awareness, you can empower your employees to stay vigilant against QR code phishing and other emerging cybersecurity threats. 

QR code phishing requires awareness

Preventing QR code phishing requires teamwork. By teaching your employees about the risks, promoting awareness, and giving your colleagues tools to verify QR codes, everyone can do their part to keep your organisation safe. Encourage open communication and ongoing learning to ensure everyone stays alert to potential threats.