QR codes are a convenient way of transmitting information, especially URLs. They can be scanned with a smartphone and direct the user to a website. They are on flyers, posters, and other marketing material to quickly direct users to a website to find out more information, greatly improving the response to marketing campaigns. Use of these codes has grown and they are now found everywhere, even in restaurants to direct diners to menus. Unfortunately, QR codes are also perfect for scammers for stealing sensitive information and distributing malware, and QR codes are now being extensively used in phishing campaigns (quishing) in place of embedded URLs. The advantage of this is that they make it hard for users to check the destination of the URL before clicking and email security solutions are now designed to follow QR codes. According to Check Point, there was a 587% increase in QR code phishing attacks between August and September 2023 and recently detected 20,000 instances of QR code-based attacks over a 2-week period.

Campaigns have recently been detected that incorporate conditional redirection based on the user’s device, browser, screen size, and many other parameters, tailoring each attack to the individual via the same QR code. In one of these campaigns, users were directed to a credential harvesting page, with the redirection chain adjusted based on the fingerprinting of the user’s device. Similar campaigns are conducted to direct users to malware distribution sites. QR codes have also been used to direct users to deep fake YouTube videos, where celebrities appear to be endorsing investment schemes, usually related to cryptocurrency, where people are tricked into investing with a promise that they can rapidly double their money or get even better returns.

Email security solutions are designed to assess messages for phishing content, check embedded URLs to determine if they link to malicious websites, and scan email attachments to check for malware, but they are not suited to checking QR codes to determine where the user will be directed. Further, QR codes move the threat to a different device. QR code phishing emails are likely to be received on a company-owned laptop or PC, but the user is then required to switch to their mobile phone to scan the QR code, and mobile devices typically lack the same level of protection making it more likely that the attack will go undetected.

The best defense against these attacks is user education. Security awareness training should cover quishing to make employees aware of this increasingly popular tactic and the threat that QR codes pose. With SafeTitan it is easy to add new training content to your security awareness training programs and push out these training modules to all users. When any new threat is detected, you can add educational content to your training program and push that content out to all users, user groups, or individuals. All training modules last a maximum of 10 minutes, so they are easy to fit into busy workflows.  SafeTitan also includes a phishing simulator that allows you to send out fake quishing emails to the workforce to see who opens the emails and responds.

For further information on security awareness training with SafeTitan and how you can improve your defenses against all types of cyberattacks, give the TitanHQ team a call.