Quishing on the rise: How to prevent QR code phishing

Getty Images/iStockphoto

Cybercriminals are using email-based quishing attacks to target users, according to threat researchers. At least one quishing campaign appears to be large-scale, long-running and dynamic, based on attack cadence and variations in the lures and domains the messages use.

Quishing, also known as QR code phishing, involves tricking someone into scanning a QR code using a mobile phone. The QR code then takes the user to a fraudulent website that might download malware or ask for sensitive information.

Patrick Schläpfer, malware analyst at HP, said his team has observed email-based quishing activity on an almost daily basis for months. The researchers have been tracking a particular QR code phishing campaign that first came to their attention when they noticed a series of suspicious emails with similar Word documents attached.

On closer inspection, they found each document contained Chinese text and a QR code. The message appeared to come from the Chinese Ministry of Finance -- while actually coming from threat actors -- and told recipients they were eligible to receive a new government-funded subsidy. To get their payments, the document instructed, users should use their mobile devices to scan the QR code, which would redirect them to an application form where they could submit their personal and financial information.

In another, similar attack HP uncovered, users received an email that appeared to come from a parcel delivery service, requesting payment via a QR code.

The QR code, according to Schläpfer, is a way to force a user to move from a desktop or laptop to a mobile device, which might have weaker antiphishing protections. And, while the campaign the HP researchers discovered aimed to solicit individuals' financial information, threat actors could also use such quishing campaigns to distribute mobile malware and steal enterprise login credentials.

"It's very likely that QR phishing is happening at a wider scale using a variety of methods," Schläpfer said.

Email security vendor Abnormal Security previously identified a quishing campaign that used a QR code to get past email security gateways, which commonly scan text for URLs. The attack seemed to be an attempt to steal users' Microsoft login credentials, the vendor reported.

Quishing is a type of phishing attack in which a threat actor uses a QR code to manipulate users, typically by redirecting them to a website that either downloads malware or solicits their sensitive information.

A QR code, or quick response code, is a square barcode that compatible mobile device cameras can read. When a user scans a QR code, it often opens a webpage, although it could also trigger a phone call, text message or digital payment.

Anecdotal evidence suggests quishing attacks have increased since the beginning of the COVID-19 pandemic when a growing number of legitimate organizations started using QR codes to enable low-contact transactions. Some restaurants, for example, link QR codes to online menus, rather than providing diners with hard copies. Digital wallets use QR codes to facilitate contactless payments. As users have become increasingly accustomed to interacting with QR codes in daily life, quishing opportunities have increased.

For example, according to the Better Business Bureau (BBB), a now-common scam involves sticking fraudulent QR codes on parking meters to trick drivers into sharing financial credentials when they try to pay for parking. The BBB has warned consumers they could encounter QR code scams in emails, in text messages, on signage, on direct mail and even in person from criminals posing as utility workers or government employees.

Many quishing attacks to date have targeted individual consumers, but enterprises and their employees are also vulnerable. In particular, email-based QR phishing campaigns, such as the ones the HP and Abnormal Security researchers uncovered, could target business accounts for credential theft or malware distribution.

As with any type of phishing, the best defense against quishing attacks is an educated user base. Enterprises should provide security awareness training that includes the following best practices:

Organizations should also consider additional security controls that can help combat multiple types of phishing attacks and mitigate the damage if one is successful. These include the following: