Quishing (QR Code Phishing)
QR code (Quick Response code) phishing is a type of cyber-attack in which attackers use QR codes to trick individuals into revealing sensitive information or performing malicious actions. These types of attacks are on the rise currently, with a study by Hoxhunt Security finding that 22% of phishing attacks used QR codes in October 2023.
The same study reported that just over one-third (36%) of recipients successfully identified and reported the attack with the Hox button. More than half failed to recognise it as a threat, while another 5% of employees actually scanned the QR code or clicked a link.
QR code phishing often involves social engineering tactics to lure victims into scanning the code. For example, attackers might send QR codes via email, text messages, or social media, claiming they lead to a special offer, discount, or important information.
QR codes are two-dimensional barcodes that can store information, such as website URLs, contact details, or other data. In a phishing attack involving QR codes, attackers typically manipulate the codes to redirect users to malicious websites or perform actions that compromise their security.
How Does Quishing Work?
When a QR Code is scanned, there are multiple ways in which the user can be affected:
- Fake Websites: Attackers create QR codes that, when scanned, redirect users to fake websites that mimic legitimate ones. These fake websites may prompt users to enter sensitive information such as usernames, passwords, or credit card details.
- Malicious Actions: Scanning a QR code might trigger the download of a malicious app or execute malicious code on the user’s device. This could lead to the installation of malware or other harmful software.
- Social Engineering: QR code phishing often involves social engineering tactics to lure victims into scanning the code. For example, attackers might send QR codes via email, text messages, or social media, claiming they lead to a special offer, discount, or important information.
- Credential Harvesting: Attackers might use QR codes to initiate phishing attacks aimed at stealing login credentials. The victim might be directed to a fake login page where they unwittingly provide their username and password.