In the ever-evolving world of cyber threats, threat actors are constantly finding new ways to exploit vulnerabilities and trick individuals and organizations into divulging sensitive information. One such technique that has gained significant traction is QR code phishing (Quishing). 

Among the many technological changes influenced by Covid-19 was a huge resurgence in QR codes. With mandatory social distancing in retail environments, businesses such as restaurants and coffeehouses had to figure out ways to keep staff and customers safe while trying to make money and survive. QR codes provided a solution by allowing customers to scan a barcode, view menus, and place orders all while maintaining a safe distance from staff members. Foregoing physical menus was meant to help reduce the spread of the coronavirus through droplets on improperly disinfected menus.

Additionally, more organizations are requiring the use of two-factor authentication to validate users' access to applications. This is supposed to help the users  stay more secure, but it also opens the door for Quishing attacks. 

In this article, we will delve into the landscape of QR code phishing attacks, explore how threat actors are leveraging this method, and provide recommendations for organizations to fortify their defenses.

How QR Code Phishing Works

QR code phishing is a technique that exploits the convenience and familiarity of Quick Response (QR) codes for malicious purposes. QR codes are commonly used to quickly share information such as URLs, contact details, or payment information. Since the pandemic, QR code usage has had a resurgence and are used at restaurants to pull up menus, at transit stations to see schedules, or at retailers to encourage customer reviews. They are even sent over email to help the recipient download applications. However, cybercriminals have harnessed the power of these codes to lead victims to malicious websites, distribute malware, or steal confidential data.

“We have identified a sharp increase in QR code attacks lately,” said IRONSCALES R&D researcher, Or Malzman. “These QR code requests come in the form of email requests and tend to prey on urgency and lost account access to get the victim to respond.”

Exploiting QR Codes

Threat actors employ various strategies to carry out QR code phishing attacks:

• Impersonation: Attackers create QR codes that resemble legitimate ones, often using trusted brand logos or disguising URLs to mimic reputable sites.
• Social Engineering: Cybercriminals craft messages that incite urgency, curiosity, or fear to encourage individuals to scan the QR code without questioning its legitimacy.
• Malware Delivery: Scanning a malicious QR code can lead to the download and installation of malware onto the victim's device, providing the attacker with unauthorized access and control.
• Data Harvesting: By directing victims to fake login pages, attackers can steal credentials and personal information for identity theft or further attacks.

Recent Examples

The IRONSCALES R&D team evaluated first-party platform data and found a shocking 453% increase in QR code attacks in 2023 compared to 2022, during January through July. 

Total counts for 2022 (Jan-Jul): 3462
Total counts for 2023 (Jan-Jul): 19160

These are some of the recent examples caught by IRONSCALES sent to our customers.

In these examples, the attacker moved the attack to a mobile device which typically possess fewer security measures, and where user vigilance tends to be reduced.

How to Protect Your Organization

To shield your organization from QR code phishing attacks, consider implementing the following measures:

• Employee Training: Educate employees about the risks associated with scanning QR codes from unverified sources. Encourage them to verify the source and destination before scanning any code.
• Multi-Factor Authentication (MFA): Implement MFA for all accounts to add an extra layer of security, making it harder for attackers to access compromised accounts.
• URL Inspection Tools: Employ URL inspection tools that can check the safety of a website before employees visit it, helping to identify potential phishing sites.
• Security Solutions: Traditional email security gateways struggle to identify real vs fake emails that include QR codes. Look for solutions that use AI and machine learning that can learn and adapt to these types of evolving attack methods.
• Scan Before Scanning: Urge employees to use QR code scanners that include URL preview features. This allows them to see the destination URL before visiting the site, helping identify suspicious URLs.
• Policy Enforcement: Develop and enforce a policy regarding the internal use of QR codes; if supported, train employees on when and how they are used, and provide detailed guidance for handling unfamiliar QR codes.

Conclusion

QR code phishing attacks are a concerning trend that highlights the adaptability and creativity of cybercriminals. By staying informed about the tactics threat actors use and taking proactive steps to protect your organization, you can significantly reduce the risk of falling victim to these malicious schemes. Remember, an educated and vigilant workforce is one of the strongest defenses against the evolving landscape of cyber threats.