How to mitigate the risk of quishing attacks

QR codes may have been invented in 1994 but they rose to popularity during the COVID pandemic, with increased usage ever since 2020.

With their ability to hold extra data (4,296 alphanumeric characters or 7,089 numeric characters) compared to barcodes, it’s no wonder that they have become so ubiquitous. From customer payment gateways in car parks to application access and authentication, the uses of QR codes are varied but unfortunately, also ripe for exploitation.

With news that there are thousands of QR code attacks per day, companies and individuals need to be on high alert for QR code phishing or ‘quishing’ attacks. The use of tools such as ChatGPT have made it quicker, easier and crucially, cheaper for cyber criminals to carry out phishing attacks, especially compared to the cost and complexity required for ‘spear phishing’ or ‘whaling’ attacks.

What is the risk of quishing?

2023 showed a 587% increase in quishing incidents with QR codes being used in 22% of all phishing attacks during the same period, emphasising their growing popularity as a tool of choice for cyber criminals.

The majority of quishing attacks are used to steal data or compromise systems by introducing ransomware.

86% of ransomware attacks originate from a malicious email, compromising user credentials. These are then used to initiate an account takeover.

How do QR codes evade cyber security measures?

Prevention is important but no security service is foolproof. Gateways, which receive the data upstream of your inbox, are usually rules-based, making QR codes really difficult to detect.
QR codes in emails can evade domain level blocking, text classification and detection and the URL obfuscation makes people less suspicious and more likely to click on links.

Scammers are still using traditional phishing techniques such as spoofing email addresses and logos to encourage end users to click on them but the use of QR codes is more likely to reassure people than a URL in an email.

How does a quishing attack work?

How to avoid the damage of a quishing attack

User awareness is extremely important, especially as quishing is a relatively new phenomenon. It should be included as part of any good cyber security education programme.

However, companies can also incorporate ‘zero trust’ principles. This then ensures that access to your data and services is more secure and overall risk is reduced.

Zero trust is a security model that assumes no one is trusted by default, whether they are inside or outside the network. Users and systems must prove their identities and trustworthiness in a number of ways before being allowed to access applications, data or other systems.

For example, ensuring that your security system maps users to their devices, alongside the use of correct credentials, can reduce the risk of unauthorised access.

Concerned about cyber security?

Speak to our friendly team on 0117 900 5000 who can help you mitigate the risk.