Protect Against QR Code Phishing

In analysing the latest cyber threats, we identified a rising concern: QR Code Phishing, commonly referred to as Quishing. It’s unfortunate that useful tools like QR codes are being misused by malicious actors. Given how accustomed we’ve become to trusting these codes, we decided to explore this issue further.

What Is Quishing & Why Is It So Effective?

Quishing involves scammers using QR codes to direct victims to harmful URLs, effectively avoiding regular email security filters that usually catch dubious links. The prevalence of QR codes during the COVID-19 pandemic for tasks like viewing menus, making payments, and other contactless transactions has left many of us vulnerable, and cybercriminals are exploiting our complacency.

This technique plays out in two primary scenarios, occurring both online and in real life:

1. The Digital Threat (Fake MFA): For example, a phishing email claiming “Re-authenticate 2 Factor Authentication” illustrates a prevalent form of MFA phishing. Here’s how it typically unfolds:
   • The scammer sends an urgent email.
   • The embedded QR code links directly to a bogus login page, such as a counterfeit Microsoft sign-in.
     • We have modified the QR Code in the email on the right to lead you to THIS very page. Give it a try!
   • Scanning the code bypasses the need to check a visible URL manually.
   • If the victim inputs their username, password, and MFA code on this fake site, the scammer can capture these details and access the genuine account. The QR code serves as an instantaneous, invisible pathway to theft.
2. The Physical Threat (Sticker Overlays): It’s alarmingly easy for a scammer to place a fraudulent QR code sticker over legitimate codes on public objects, like parking meters, promotional posters, or mall windows. Such deceptively convincing stickers can link to counterfeit banking or payment sites, where the goal is to extract your credit card information or inject malware.

We modified this QR Code to take you to THIS very page. Give it a shot!

Quishing Solutions & Essential Precautions

Always treat unsolicited QR codes as suspicious. For the vast majority of consumers and businesses (which we suspect is still an underestimate), the risks far outweigh any convenience.

5 Crucial Rules for Using QR Codes:

1. NEVER Scan From Unknown Sources: This is the most significant way to enhance your security. If you receive a QR code that wasn’t anticipated, avoid scanning it entirely.
2. VERIFY All Digital Requests: If a QR code arrives from a supposedly “trusted” source (such as your IT department or bank) via email or text, stop! Do not scan it. Instead, reach out to the sender using a different, secure method—whether that’s a phone call, a fresh and verified email, or by directly navigating to their official website.
3. Check the Link Preview: If your device shows a URL preview before you navigate, scrutinise it. Ensure the site employs HTTPS and watch out for glaring typos or suspicious domains (for instance, lime.plala.or.jp instead of microsoft.com).
4. Be Cautious with Shortened Links: QR codes frequently use link shorteners (bit.ly, tinyurl, etc.), which obscure the final destination. This is precisely what scammers want. Steer clear of them.
5. Assess Your Surroundings: In the physical realm, if a QR code sticker appears to be an addition to a legitimate sign or surface, assume it might be a scam.

In Conclusion

In brief, it’s evident that scammers are utilising QR codes to circumvent security measures and direct you to dangerous sites unnoticed. Whether via a faux sticker or a seemingly official email, QR codes represent an easy opportunity for phishing attacks.

We strongly advise all personnel to treat unsolicited QR codes as potential threats to their credentials. Don’t make it easy for cybercriminals.