Before scanning any QR codes, experts strongly advise exercising caution

QR codes, while incredibly convenient, have unfortunately become a favored tool for cybercriminals. Kern Smith from Zimperium highlighted the alarming surge in targeted attacks on mobile devices, particularly through phishing attempts. He emphasized that mobile devices are prime targets due to their susceptibility to these attacks.

Smith coined the term “quishing” to describe QR phishing, underscoring its effectiveness as an attack vector. One reason for its success is the lack of emphasis on QR code scanning within corporate anti-phishing systems. This oversight allows attackers to widely distribute QR codes without adequate scrutiny.

Reliaquest, based in Tampa, shared concerning statistics in a recent report, noting a staggering 51% increase in quishing attacks in September compared to the previous eight months. This rise is attributed in part to the prevalence of smartphones equipped with built-in QR code scanners or easily accessible scanning apps. Unfortunately, users often scan these codes without considering their legitimacy, creating an open door for malicious activities.

The ease and widespread adoption of QR codes, while beneficial for seamless interactions, have inadvertently opened avenues for exploitation. Cybersecurity measures must adapt to include thorough QR code scanning to combat the escalating threat of quishing attacks.

Phishing: tricky online scams stealing your information. Stay cautious

Shyava Tripathi, a researcher at Trellix’s Advanced Research Center in Milpitas, California, emphasized the alarming reality that phishing comprises more than a third of all breaches and cyber attacks. She highlighted the growing threat of QR-code-based attacks, which, while not new, have surged in sophistication, with Trellix identifying over 60,000 malicious QR code instances in just one quarter.

Steve Jeffery, lead solutions engineer at Fortra, a global cybersecurity and automation firm, echoed this concern, emphasizing the elevated risk posed by “quishing” – a method that circumvents traditional security measures. He stressed the importance of recipients fully grasping these threats to avoid falling into the trap.

Jeffery underscored that the act of clicking on harmful URLs remains a primary vulnerability for account takeovers. He referred to data from Fortra’s PhishLabs in Q2 of 2023, revealing that over three-quarters of email attacks aimed at stealing credentials included links leading victims to malicious websites.

According to Jeffery, “Quishing” essentially extends the danger posed by phishing attacks. Instead of employing hyperlinks to fraudulent websites, attackers now use QR codes to deliver URLs. Since most email security systems don’t scan QR code contents, preventing these messages’ entry becomes a challenging task, contributing to the rise of this particular type of attack.

 Quishing for Credentials

Mike Britton, the Chief Information Security Officer (CISO) at Abnormal Security, emphasized the escalating threat of ‘quishing,’ underscoring findings from Abnormal’s data revealing that 17% of successful attacks circumventing spam filters now employ QR codes.

Britton highlighted that within this alarming statistic, credential phishing constitutes a staggering 80% of QR code-based attacks. Other prevalent modes include invoice fraud and extortion, forming the top three attack vectors.

Explaining the appeal of QR code-based attacks, Britton pointed out, “Malicious actors find QR codes an appealing tactic due to the difficulty in discerning the destination they lead to.” He elaborated, “Unlike traditional email attacks, QR codes contain minimal text and lack overtly malicious URLs, severely limiting the cues available for conventional security tools to detect and scrutinize.”

He moved on to say that “Given its capacity to evade both human scrutiny and traditional security measures, QR code attacks often outperform conventional attack methods.”

Embedded QR Threats

QR codes are becoming a hot pick for cyber crooks because they’re sneaky. When people scan these codes, they usually do it on their personal phones, flying under the radar of company security checks. This makes it tricky for companies to spot who fell for the scam.

See, the tricky part is that these QR codes hide their nasty web links well. Plus, harmless stuff like logos in emails or even those friendly QR codes that lead to real sites make it tough to separate the good from the bad. So, it’s like a secret entryway for cyber troublemakers!

Best Practices for QR Code Safety

In the world of QR codes, trust is key. Christopher Budd from Sophos, a cybersecurity expert, simplifies QR code safety with an easy rule: consider the source. Picture this scenario: you’re strolling through a bustling mall’s food court, and there’s a flashy sign promising a tempting discount if you scan the attached QR code. But here’s the catch—there’s no context or indication of who placed that code there. Budd’s advice? If you can’t vouch for the source, it’s best to skip it.

Why? Because malicious QR codes often come with a twist: they’re strategically placed by ill-intentioned individuals who want to dupe unsuspecting users. These codes might impersonate legitimate requests, such as mimicking IT team messages about updating two-factor authentication through QR code scans. Darktrace research highlights that these personalized attacks often dodge traditional security measures that rely on known threats. That’s why experts like Budd emphasize the importance of familiarity and trust when interacting with QR codes.

Ultimately, the golden rule when dealing with QR codes is simple: pause and assess before you scan. Stick to codes from sources you know and trust, especially in public spaces where codes might appear out of the blue. By following this straightforward guideline, you’ll add an extra layer of security to your QR code interactions, ensuring a safer digital experience.