You’re running late to a meeting. Traffic has been awful, and you can feel the stress pump through your veins as each second passes. Finally, you find a parking spot. You jam the handbrake in place and jump out of your car, rushing up to the parking meter. You fumble with your phone and open your reader to scan the meter’s QR code. You input your credit card details to pay for an hour, and off you run to your meeting.
Little do you know that you’ve just been quished—phished with a QR code—and attackers have maxed out your credit card balance.
How does quishing work?
Quishing is an emerging type of phishing attack that leverages QR codes. It’s really just another form of social engineering, but instead of beginning with a phishing email or a voice call to manipulate you into handing over your information, it uses QR codes as an attack vector. A fake QR code brings you to a malicious website, where the attackers convince you to hand over sensitive information, such as your login details or financial data. A quishing attack ends much the same way as any other phishing attack, but the starting point is different.
In the example outlined above, instead of scanning the parking meter’s legitimate QR code, you have scanned a QR code for a malicious website that the attacker carefully glued on top of the real code. You aren’t typing your credit card information into the parking meter’s legitimate portal, you’re handing it straight over to the attackers.
Quishing is a very real threat and we need to protect both ourselves and our users from it. As in the example, these attacks can begin in meatspace, but they can also reach us in the digital realm, such as if we get a QR code in our email inbox, or if a website tells us to scan a code.
From an attacker’s perspective, one of the benefits of quishing is that it may be easier to trick their targets. These attacks aren’t that common yet, and many people aren’t familiar with them. In contrast, people have been receiving phishing emails for decades, so most of us know to be a little wary, and we know a few defensive techniques, like checking that the sender email address is legitimate, or cross-checking a potentially suspicious URL with the legitimate organization’s website. The novelty of quishing attacks means that many of us won’t have built up these defenses yet.
How to defend against quishing?
One of the major priorities for defense against quishing is training and awareness. Many of our users will never have heard of these attacks before, so they won’t know that they need to proceed with caution whenever they whip out their QR code reader. Teaching employees at your organization about the threat and a few defensive measures will go a long way toward mitigating the problem.
Another option is for your organization to deploy email scanning tools that are capable of decoding QR codes and detecting whether a site may be potentially malicious.
At the end of the day, a QR code is acting as a shortcut to take a person to a URL, so some of the measures we use to stop normal phishing attacks will also be helpful. Just like how we inform our users not to click on random links, we need to make it clear that they should never scan untrusted QR codes. When they do scan a QR code, they should also double check that the URL it brings up isn’t suspicious.
Of course, implementing multi-factor authentication will also help to prevent users from being tricked into getting their account compromised if they fall for a quishing attack. It’s always best to follow defense-in-depth and have multiple security layers that can limit the harms from quishing.