Guide To Avoiding the Growing Threat of QR Code Phishing

In a QR code phishing attack, or quishing, the QR code serves the same purpose as a malicious link in a classic phishing email attack. If you scan the code, you might be redirected to a phishing website. Scammers have grown increasingly skilled at imitating the homepages of legitimate organizations.

This type of phishing attack represents a new and challenging threat. It moves attack channels from protected, secure email environments to a user's mobile device, which is often less safe. With QR codes, a URL isn't exposed within the body of the email.

Cybercriminals have reached a new level of deception, taking advantage of users by tricking them into visiting malicious websites or downloading malware onto their devices. Quishing typically involves tactics that exploit the trust of vulnerable and curious users.

With attacks involving QR codes on the rise, examining how these exploits are carried out, common QR code scams, and tips for identifying and avoiding this growing type of threat is essential. 

Be wary of QR codes - but we assure you the QR code to the right is safe and leads to our Blog!

What Is the QR Code Attack Sequence?

Cybercriminals use the same system to get users to fall for whatever they have in store for them. It’s called the “QR Code Attack Sequence”:

• The user receives and opens an email.
• The user scans the QR Code on a mobile device.
• The user is directed to a phishing webpage
• The user is prompted to enter their credentials.

This set of steps allows cybercriminals easy access to user information, which can then be utilized maliciously.

Common QR Code Scams

Now that QR code phishing is happening more and more to users worldwide, it’s essential to recognize the common QR Code scams that malicious actors are sending users and getting away with more often than not.

Phishing links

Attackers embed QR codes in phishing email attacks, prompting users to scan the code and visit a fake page that appears to be a trusted service or application. This phishing attack tricks users into entering their login credentials for an attacker to capture.

Fake QR codes may also lead to surveys or forms that request personal information such as a name, address, or Social Security Number. Victims might be lured with promises of rewards or prizes in exchange for information or a tiny payment.

Malware downloads

Similarly, QR codes can link victims to malicious websites that automatically download malware onto the victim's device when scanned. These downloads can range in content from spyware to ransomware, allowing attackers to steal data or take control of a compromised account or device.

Compromised devices

QR codes can also open payment sites, follow social media accounts, and even send pre-written email messages from a victim’s compromised accounts. Hackers can easily impersonate victims, targeting others in the user’s contact directory.

QR code attacks are challenging to detect using traditional email filtering methods since there is no embedded link or a malicious attachment to scan. Email filtering is not designed to follow a QR code to its destination and scan for malicious content; instead, it shifts the actual email threat to a different device that may not be protected by corporate email security software. However, there are some ways users can spot malicious hackers before they have the chance to breach a device.

Many individuals and organizations have been hit with QR code scams since they are an effective way for malicious hackers to breach a system. Threat actors may avoid using QR codes in phishing email attacks mainly because doing so adds the extra step of luring the victim, thus hindering the chance of success. However, QR code phishing has become an increasingly common tactic among cybercriminals because it increases the chances of a user opening an email. Examples of QR code scams include:

•  QR code scams on parking meters and other contactless payments: The Austin, Texas police department recently reported finding 29 fraudulent QR codes on the city’s parking meters. When unsuspecting victims scanned the QR code, they were sent to an official-looking payment page to pay for parking. However, when they entered their credit card information, it was sent to scammers who could use it to make fraudulent purchases or sell the victims’ personal data on the Dark Web. 
• Tampered QR codes in restaurants: Restaurants are among the most common places where Americans use QR codes to view menus, order, and pay for meals. Scammers can replace these QR codes with those that redirect you to a phishing website that will steal your personal information. If you’re unsure about the QR code in a restaurant, ask a staff member if the URL that pops up is correct. To be extra sure, manually visit the restaurant’s website using your phone’s browser — and only pay in person. 
• Fake QR codes sent in the mail (surveys, sweepstakes, etc.): Scammers will sometimes send physical mail containing QR codes claiming to offer giveaways, prizes, or instant coupons. You should interact with these scams like you would physical junk mail or a spam email in your inbox: if you don’t know the sender personally, don’t click on (or scan) any links. If it is a legitimate company offering a discount or special offer, visit their website directly to verify it.

Training employees to spot advanced phishing techniques can help prevent targeted workers from being scammed. Attacks vary in location, from parking meters to restaurants, from physical mail surveys and sweepstakes to unexpected packages. Thus, this threat must be kept at the top of the mind. If a business, individual, or user is unsure if a link is trustworthy, the best thing to do is simple: don’t click it if you don’t trust it!

How Can I Identify & Prevent Quishing Attacks?

The following characteristics are indications that an email may be a quishing attempt:

• Sense of urgency: If you receive any emails or texts stating any kind of request to scan a QR code urgently, such as “limited time offer,” “your account is hacked,” or “urgent payment required” (tv licensing fraud payment) it is quite possibly a scam.
• Unfamiliar sender: One of the most common signs of a QR code phishing email attack is an unknown sender. If you receive an email from someone you don’t recognize, it’s best to be wary before scanning QR codes or downloading PDF attachments.
• Suspicious URL Link: Scammers often use shortened URL links to hide their proper destination, so be aware if you notice a questionable URL, as it could be a phishing email attack.
• Poor grammar: Scammers often use poor grammar and spelling in their emails since they may not grasp the language well or are trying to rush through writing the message.
• Requests for personal information: A credible company will never ask for your personal information by scanning a QR code through an email.
• Always use multifactor authentication: Multi-Factor Authentication (MFA) requires users to provide two pieces of information to access their accounts. This could include a username and password combination or a QR code sent via text message or mail. Using MFA can ensure that even if a user’s credentials are compromised, the scammer cannot get into the account without the secondary information. 

Keep Learning About Preventing Quishing Attacks

Users must stay alert to any notification on their phones, especially if it comes in a QR code. Taking precautions and using the steps above will be a step in the right direction.

Users can easily protect themselves by using QR code scanner apps before scanning from mobile devices, constantly checking the URL source and email quality, and never sharing personal information. If you suspect something suspicious, don't hesitate to report it.

• Learn more about an email security software solution that understands your relationships with others while gaining a more profound knowledge of your conversations with them.
• Prepare your business for cyberattacks to make sure employees stay safe online.
• By following best practices for email security, improve your company’s posture to protect against phishing email attacks and email security breaches.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.