Written by:

Quishing, also referred to as QR code phishing, have been prevalent in the realm of phishing for several years now. The use of QR codes in phishing attacks became prominent around 2019 and the techniques and tactics used have continued to evolve since then.

In January 2022, the FBI issued a warning regarding the manipulation of QR codes by cybercriminals. The perpetrators exploit this technique to redirect unsuspecting victims to fraudulent websites aimed at stealing their login credentials and financial information.

There is a noticeable rise in phishing emails that exploit QR codes, bypassing email protections, and it is important for organisations to fully grasp the risks associated with these attacks. This article explores the growing prevalence of QR code phishing attacks and offers valuable tips and recommendations for organisations to mitigate this emerging threat.

The Rise of QR Code Phishing Attacks

Phishing attacks exploit human vulnerabilities to gain unauthorised access to sensitive information or networks. QR code phishing attacks involve the use of malicious QR codes that, when scanned, redirect users to fraudulent websites or prompt them to download malicious content. These attacks leverage the widespread adoption of smartphones equipped with QR code scanning capabilities, making it easier for attackers to target a large user base.

One factor contributing to the rise of QR code phishing attacks is the increasing popularity of QR codes in various aspects of daily life. They can be found on product packaging, promotional materials, event tickets, and even restaurant menus. This ubiquity makes it more challenging for individuals to distinguish between legitimate and malicious QR codes, increasing the chances of falling victim to phishing attempts.

Challenges for Email Security Systems

QR code phishing attacks pose a significant challenge for email security systems. Both when it comes to detecting and blocking malicious content effectively.

Traditional email filters primarily rely on link analysis and content scanning techniques to identify and block malicious URLs. However, QR codes act as a camouflage for these URLs, making it difficult for automated filters to detect their true intent. As a result, organisations face an increased risk of phishing emails bypassing their security defenses, potentially leading to data breaches or compromises.

Another critical concern associated with QR code phishing attacks is the difficulty in tracking and attributing the actions of individuals who interact with these malicious links. When users scan QR codes, they often do so on their personal devices that communicate out-of-band, making it challenging for organisations to identify the individuals who fell victim to the attack.

Mitigation Strategies for Organisations

Most organisations will benefit from adopting proactive measures to protect themselves against QR code phishing attacks. Here are a few tips and recommendations that have been successful in the organisations I’ve worked with:

Employee Awareness and Training

Organisations should prioritise comprehensive security awareness and phishing training programs for all employees. By educating staff about the risks associated with QR codes and teaching them how to identify phishing attempts, organisations can significantly reduce the likelihood of successful attacks.

Streamlined Reporting Power

By offering add-ins in your employees’ Outlook application you’ll allow users to report suspicious or potentially malicious emails directly from their inbox to the organisation's security team for further analysis and action. By involving users in the process of identifying and reporting potential threats this type of add-in helps to enhance the security of the organisation's email environment.

Strengthen Email Security Measures

To enhance email security, organisations should consider implementing advanced threat detection solutions that go beyond traditional link analysis. Artificial intelligence and machine learning-powered technologies can help identify suspicious patterns and behaviors associated with phishing attacks, even when disguised as QR codes. In addition, organisations should consider incorporating add-in or integrated tools for scanning QR codes.

Device Trust

Implementing policies with enforced device trust requirements will ensure that only trusted and secure devices are allowed to access corporate resources. This helps mitigate the risk of compromised users who got their credentials leaked through QR code phishing attacks.

Implement Multi-Factor Authentication (MFA)

By enforcing MFA (or 2FA - two-factor authentication) when accessing sensitive systems or resources, organisations can add an extra layer of security. This measure can help prevent unauthorised access, even if an individual inadvertently interacts with a phishing link.

QR Code Verification

Before scanning any QR code, individuals should exercise caution and verify its source. It is advisable to use reputable QR code scanning applications that have built-in security features to detect potentially malicious codes.

QR Code Scanning Policies

Establish clear policies and guidelines regarding QR code scanning within the organisation. Encourage employees to avoid scanning QR codes from untrusted sources or unknown origins. Consider implementing a formal approval process for scanning QR codes related to business activities.

QR Code Branding

Branding QR codes provides organisations with an additional advantage in identifying broader phishing campaigns where non-branded QR codes are used. By establishing a recognisable brand presence, organisations can easily differentiate their legitimate QR codes from unauthorised ones.

Incident Response and Tracking

Organisations should establish robust incident response plans to address phishing incidents swiftly. Additionally, deploying advanced tracking mechanisms, such as user activity monitoring and endpoint security solutions, can aid in identifying and containing any potential compromises resulting from QR code phishing attacks.

Mobile Device Security

Promote best practices for mobile device security, as QR code scanning typically occurs on smartphones or tablets. Encourage employees to keep their devices up to date with the latest operating system and security patches.

Conclusion

Organisations should recognise the growing prevalence of QR code phishing attacks via email systems, and take proactive steps to protect themselves and their employees. These attacks pose significant challenges to email security systems, as QR codes can disguise malicious URLs and make it difficult to trace the actions of individuals interacting with them. By implementing a combination of the suggestions above, organisations can enhance their security posture and effectively combat QR code phishing attacks, safeguarding their valuable information, and maintaining the trust of their stakeholders.