Have you heard of quishing?
It’s a new attack vector being used by scammers. And, as the phonetics of the name suggest, it’s a variant on phishing.
If you’re a regular reader of the Grant McGregor blog, you’ll be well aware that phishing is an attempt by cyber criminals to get their hands on your valuable data.
The scammers “phish” for financial credentials, login and password details, and other exploitable or saleable data. They do this through seemingly trustworthy emails which prompt the recipients to voluntarily hand over sensitive information.
Since the concept of phishing has been established in the minds of most technology users, it’s a useful way of categorising attack vectors which present high levels of threat. The term has been given many variants, as cyber security experts try to explain and express different threats.
These threats include:
• Spear phishing – a more targeted approach to phishing using targeted emails
• Big game phishing – targets emails directed at high net worth and extremely senior victims
• Smishing – the use of SMS messages to phish for information or send malicious links
• Quishing – the latest approach to phishing
The threat of quishing refers to attacks which use a quick response code (QR code) to lure victims to malicious websites where they are encouraged to part with personal, financial or high-value information or to click on malicious links to download malware.
In June 2023, Tech Target warned of a quishing attack vector which was identified by HP researchers. Users received an email that appeared to come from a parcel delivery service, requesting payment via a QR code. The QR code forces a user to move from a desktop or laptop to a mobile device, which might have weaker anti-phishing protections.
Although the campaign the HP researchers discovered sought to solicit individuals' financial information, Tech Target highlights that threat actors could equally use such quishing campaigns to distribute mobile malware and steal enterprise login credentials.
It’s also worth bearing in mind that, while most QR codes will open a webpage, scanning a QR code can also be a trigger to launch a phone call, text message or digital payment.
Former spear phisher James Linton told the Independent newspaper that quishing is a growing threat.
In particular, he warns against scanning QR codes that appear in PDFs or emails. He said, “QR codes are not normal in an email, because it is always easier for companies to just use a link. So if you receive one, you need to be careful about it.”
However, he went on to tell the newspaper that “I don’t think we’re going to have a case where every QR code you see out in the wild is going to be a weaponised one, because they are labour-intensive to make. Often, scam websites can be taken down within the hour, so unless scammers are constantly printing out new posters or labels to stick around, it doesn’t seem practical.”
Nevertheless, the UK’s National Cyber Security Centre (NCSC) has issued its own warnings and guidance about the quishing threat. It warns
• The NCSC is seeing an increase in these types of ‘quishing’ attacks.
• Scanning QR codes in open spaces (like stations and car parks) might be riskier.
• As with many cyber-attacks, you should be suspicious if you’re asked to provide what feels like too much information, whether that’s on a website or in any follow-up communications (such as a phone call).
• If you receive an email with a QR code in it and you’re asked to scan it, you should exercise caution.
As a first line of defence, the NCSC recommends that you use the QR-scanner that comes with your phone, rather than using an app downloaded from an app store.
As with any type of cyberattack which targets users, the best defence against quishing is to educate your people.
Make sure they understand and follow simple precautions, including:
• Never scan a QR code from an unfamiliar source.
• Rather than scanning a QR code to take you to a website, download the app from the official Google or Apple store or search the website on your phone’s Internet browser. It may take longer, but it’s more secure.
• Check the preview of the QR code's URL to see if it appears legitimate. Make sure the website uses HTTPS rather than HTTP, doesn't have obvious misspellings and has a trusted domain.
• Trust your instincts. If something doesn’t seem right, don’t share your details.
Additionally, Tech Target recommends that businesses should provide security awareness training to staff that includes the following best practices:
• Stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to your emotions, e.g. sympathy, fear, etc.
• Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.
• Observe good password hygiene by changing your email password frequently and never using the same password for more than one account.
As with other types of phishing, when it comes to quishing, education and caution are your best lines of defence.
If you would like to work with Grant McGregor to raise your staff’s cyber awareness, please get in touch. We have a range of training solutions to help.
If you would like any more general advice about dealing with cyber security threats or bolstering your organisation’s cyber security posture, the Grant Mc Gregor team can assist with this as well.
We are always happy to provide help and offer advice.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
Further reading
Read more about phishing and other cyber-security topics on our blog:
• How to protect yourself against 2022’s phishing threats
• Top 10 phishing red flags you need to know about
• How do you prevent a Phishing Attack?
• How to minimise the effects of a Phishing Attack
• How Phishing Got Social
• Cyber security update: 2023’s phishing tactics
• AI’s new role in cyber security
• Why you must start planning early for Windows 10 end of life