There’s a new phishing threat in town: Quishing. This Cyberattack targets companies in new and dangerous ways. Learn how quishing attacks are carried out, why businesses are especially vulnerable, and what you can do to protect your organization.
What Is Quishing & How Does It Differ From Traditional Phishing?
Quishing is similar to traditional phishing, where attackers send fake emails or texts that try to lure you into clicking on malicious links. The difference is that with quishing, instead of a link, the attacker uses a QR code—those small, scannable codes you might see on posters, menus, or websites, thus “quishing” is a portmanteau of the terms “QR code” and “phishing”.
In quishing attacks, cybercriminals place these malicious QR codes in various places. When you scan them with your phone or another device, you’re often redirected to a fake website designed to steal your information or install malware.
Unlike traditional phishing emails, which often raise suspicion due to their odd wording or unfamiliar senders, QR codes may seem more trustworthy because they look like a regular part of everyday technology.
QR code phishing has become so widespread that even phishing-as-a-service (PhaaS) platforms have started offering QR codes as part of their attack tools. This means that attackers don’t need to be tech experts anymore; they can easily purchase these services to launch sophisticated attacks on businesses.
Why Businesses Are Vulnerable To Quishing Attacks
Businesses are particularly vulnerable to quishing attacks for several reasons. One big factor is the increased use of QR codes in everyday operations. Many businesses use QR codes for things like marketing, payments, and even internal communication.
Because QR codes are so widely accepted and trusted, employees and customers might not think twice about scanning one, which makes them an easy target for attackers.
In fact, the rise in QR code phishing is growing and hard to ignore. In the second half of 2023, executives were 42 times more likely to be targeted by QR code phishing than other employees. This is because executives usually have greater access to sensitive company resources and applications, making them high-value targets for cybercriminals.
In September 2023, ReliaQuest reported a 51% increase in QR code phishing attacks compared to earlier in the year. Other Cybersecurity studies also show how common this type of attack has become. For example, the Hoxhunt Challenge, a study on phishing attacks, found that 22% of all phishing attacks in early October 2023 used QR codes to deliver malicious payloads.
Businesses Affected By Quishing
Many have already fallen victim to quishing attacks. One major industry impacted is healthcare. A white paper from the U.S. Department of Health and Human Services (HHS) highlighted how QR codes have become a significant vector for phishing attacks in this sector. Hospitals and healthcare providers often use QR codes for patient forms, payments, or informational purposes. Unfortunately, attackers exploit this trust, placing malicious QR codes on documents or emails that look legitimate.
Source: Microsoft-based quishing email by Kaspersky
Even tech giants like Microsoft have been targeted numerous times, with phishing emails designed to lure users into scanning QR codes. If even large companies with robust security measures are targeted, it shows just how widespread and dangerous quishing can be for businesses of all sizes.
The Hoxhunt Challenge report involves almost 600,000 employees from companies of all sizes, only 36% were able to correctly identify and report a phishing email with a QR code. More than half of the employees failed to recognize the threat, and an alarming 5% scanned the malicious QR code or clicked the link within the email. This shows that even large organizations with extensive security resources are struggling to protect their employees from quishing.
Furthermore, a security professional ran a similar simulation within their organization, and the results were just as concerning. In a post on Reddit, about 6% of employees clicked the malicious QR code. The fact that a number of employees are still falling for these scams urges better awareness and training about QR code phishing within organizations.
Steps To Protect Your Business From Quishing Attacks
Protecting your business from quishing attacks requires a combination of awareness, technology, and good practices. Here are some key steps you can take to reduce the risk:
1. Educate Staff & Employees About The Risks Of Unknown QR Codes
One of the most important things you can do is educate your employees about the dangers of scanning QR codes from unknown or untrusted sources. Many people don’t think twice about scanning a QR code, but attackers can easily replace legitimate codes with malicious ones.
By training your team to always verify the source of a QR code before scanning, you can reduce the chances of falling victim to quashing. Encourage them to be cautious about QR codes in unsolicited emails, flyers, or websites.
2. Implement Robust Email Security Solutions
A big part of protecting your business from quishing attacks is keeping malicious content out of your inbox. Implement strong email security solutions that can detect and block phishing attempts, including those that use QR codes.
These solutions can help address suspicious emails and links and warn users before they accidentally click on a harmful QR code or malicious link. Also, make sure your email filtering software is regularly patched and updated to keep up with new phishing tactics.
3. Adopt Multi-Factor Authentication (MFA)
MFA is a security measure that provides an extra layer of protection when logging into company systems. Encourage your organization to adopt MFA, but be cautious about using QR codes as part of the authentication process.
Since quishing specifically targets QR codes, using other forms of MFA, like text message codes or authentication apps, can help reduce your risk.
FAQ
What Makes Businesses More Vulnerable To Quishing Attacks?
Businesses are particularly vulnerable to quishing because they often rely on QR codes for various purposes, such as payments, marketing, or internal communication. Employees, especially those in executive roles, may have access to sensitive company data, making them prime targets. Many businesses have not yet fully trained their teams to recognize the risks of malicious QR codes, leaving them open to attack.
How Can I Recognize A Quishing Attack Targeting My Business?
If you receive a QR code from an unexpected source or if the code looks suspicious, it’s a good idea to avoid scanning it. Be cautious of QR codes in places where you wouldn’t expect them, such as unsolicited emails or on flyers in public areas.
What Steps Can My Business Take To Prevent Quishing Attacks?
2Secure often encourages the use of MFA methods that don’t rely on QR codes. You can also implement email security and filtering solutions that block phishing content. Regular training and awareness can also help your team recognize the risks of scanning unknown QR codes.
