SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Rise in 'quishing' attacks exploits growth in QR code usage
Wed, 28th Feb 2024

The use of QR codes is on the rise globally, and with it, a new form of phishing attack, warns Josh Cigna, a solutions architect at Yubico. An increasing number of cyber criminals are leveraging the popularity of QR codes to carry out what has become known as quishing, or QR code phishing attacks.

Phishing attacks, which trick users into divulging personal data or performing an action such as downloading malware, are the most common form of online account breach today, thanks to their cost-effectiveness and high success rate. Traditionally carried out via emails containing deceptive links or attachments, phishing scams have also been propagated through text messages or even telephone calls.

Phishing scams can convincingly imitate messages from reputed brands, leading 44% of users to perceive emails from trusted brands as safe. Yet, in a twist to this tactic, cyber criminals are now utilising QR codes as tools for phishing attacks, observes Cigna.

QR codes, which are essentially a type of barcodes that smartphone cameras can read, are versatile in their capability to store plain text or links for a variety of uses. In 2022, a reported 83.4 million US smartphone users scanned QR codes, and this figure is projected to hit 99.5 million by 2025. The enhanced usage of QR codes has rendered them attractive bait for phishing attempts.

Quishing attacks exploit either physical or digital QR codes to draw users to counterfeit websites created to extract personal information, or ply with malware. Often, like traditional phishing, there's an element of urgency around a benefit or consequence. As per Cigna, there was a 51% uptick in quishing attempts in September 2023 compared to the combined figure for the period January through August 2023. The same month saw 9.5% of all scanned QR codes being malicious.

Cigna provides some illustrations of how a QR-based phishing attack operates. For instance, a fake QR code attached to a bank door prompts users to log into their bank account to enter a contest, thereby potentially revealing their banking credentials for fraudulent purposes. Similarly, an email supposedly from a known retailer containing a fraudulent QR code can fool users into divulging their private data, which can subsequently be sold on the black market or used for further phishing offensives.

So how can one guard against QR code phishing attacks? Cigna offers a few key recommendations to strengthen security. These include verifying the legitimacy of the QR code's source, being circumspect when sharing personal information, being cautious of payment methods, and enabling strong, phishing-resistant multi-factor authentication (MFA) across all accounts. In particular, device-bound passkeys, such as hardware security keys like the YubiKey, can provide robust protection by requiring a password as well as physical interaction with a security key for account access.