What is Quishing?

Quishing is a fast-growing phishing trend involving QR codes, which are now used in more than one-fifth of phishing attacks. QR Codes, or Quick Response codes to give them their full name, have become a popular way of communicating information, most commonly URLs for websites and PDF files. QR codes were originally developed and used for tracking parts in manufacturing, but their uses have grown considerably and QR codes are now everywhere.

They are also used by restaurants for directing diners to their menus – something that became more common during the COVID-19 pandemic as a way of reducing the risk of virus transmission as well as reducing costs by not having to print menus. They are used by advertisers at bus stops and train stations, in magazines and printed pamphlets, and even TV commercials. They allow advertisers to get smartphone users to quickly and easily visit a website to find out more about products and services and make a purchase.

The ubiquity of QR codes and how they have been embraced by consumers, coupled with the difficulty of distinguishing between a benign and useful QR code and a malicious one has made them perfect for malicious actors for driving traffic to their malicious websites. QR codes are sent via emails, instant messaging services, and on social media sites and direct users to a malicious website where credentials are harvested or malware is downloaded. Another key benefit of QR codes is they are read by smartphones, rather than laptops or desktop computers. Smartphones are far less likely to have security software installed that can detect either the phishing message or the malicious URL that users are directed to.

Malicious actors have embraced QR codes and commonly use them in phishing campaigns. One analysis of phishing emails revealed 22% of phishing emails intercepted in October 2023 used QR codes, many of which used standard phishing lures to get users to scan the QR code, such as a security alert requiring immediate action. Other types of quishing attacks have exploited the “login with QR Code” feature that is now used by apps and websites as a secure way of logging in. In this type of attack, termed QRLJacking, the attacker initiates a client-side QR session of the targeted app or website, and clones the login QR code to display a fake but realistic clone of the targeted app. Social engineering techniques are used to send a user to that page, the user scans the malicious QRL using the mobile application the QRL code was created for, and the attacker gains access to the victim’s account. The app is unaware this is fraudulent access and provides the user’s data to the attacker.

Protecting against these attacks is much harder than protecting against standard phishing attempts since security solutions struggle to detect these malicious QR codes. That said, protecting against QRLJacking is simple. Don’t ever use QRLs for logging in. Avoiding other quishing attacks involves similar advice. Avoid using QR codes entirely, or at least avoid using QR codes from untrusted sources. If a QR code is received via email, the source of the email needs to be verified, and even then it is best to avoid using it and just visit the website of the company that claims to have sent it.

Companies should also consider adding quishing to their security awareness training programs given how commonly QR codes are being used in phishing. That’s easy to do with the SafeTitan Security Awareness Training Platform – just choose the Quishing content and add it to your training program and incorporate the quishing templates into your phishing simulations.