Quishing

A QR code (or Quick Response code) is a square barcode-like image. It serves a number of legitimate purposes, allowing quick access to internet-based resources such as websites, product or event information and payment facilities. You can access the information by scanning the code with the camera on your smart device.

Threat actors take advantage of the popularity and inherent trust in QR codes to help disguise their nefarious intent. When you scan the QR code with your smart device, it can link you to malicious websites or prompt you to download files designed to monitor your online activities, steal your sensitive details or gain access to your device. Malicious websites often look legitimate and may replicate information found on a business or organisation’s real website.

As QR codes are images, quishing presents additional security challenges over text-based phishing. These include:

• the limited ability by some email security tools to detect and block malicious links embedded in images, and
• hiding the link in an image, limiting your ability to check the legitimacy of the link prior to scanning the QR code.

Quishing also presents a unique security challenge for enterprise and business environments. Users receiving quishing emails sent to their work email address may scan a malicious QR code using personal devices which may not be subject to the organisation’s cyber security controls and monitoring environments, making it difficult to prevent, detect and track potential compromises.

To reduce the risk of becoming a victim of a quishing attack, we recommend you:

• Think before you click and check Scamwatch for advice on known scams using QR codes.
• Manually navigate to online payment facilities using a known and trusted URL.
• Engage with your email security software provider about technical mitigations available in their products to address image-based cyber threats.
• Avoid downloading apps and files using QR codes, instead download from a trusted app store or website.
• Keep your personal and business devices updated with the latest version of software and download security patches as soon as they are released.
• Encourage your employees and colleagues to confirm the legitimacy of suspected quishing emails, and report suspicious emails to the IT security department or providers.
• Broaden organisational email policies to preclude employee interaction with QR codes contained in emails.
• Use a secure QR code generator to enhance the security of your brand’s QR codes to prevent cyber threat actors exploiting your trusted name.
• Learn how to spot a scam and detect socially engineered messages.
• Educate your family, friends and colleagues about the cyber security-related risks associated with using QR codes.