What Is Quishing? (7 Ways To Prevent QR Code Phishing Attacks)
It seems like every day there is a new cyber threat. One we’ve been hearing a lot about lately involves QR codes. Known as quishing this is a type of phishing attack that is making the rounds.
In this article, we’ll explain the proliferation of QR code scams and let you know how to keep your business and employees from becoming the next victims.
We work with companies like yours every day and help them stay ahead of cyber threats to minimize the impact on their infrastructure. As manager, engineering services at Kelser, I'm an active participant in these conversations.
We know keeping track of the threats can be overwhelming (especially for small and medium-sized businesses), so we provide the information you need to best protect your organization’s technology backbone.
Knowing the threats that are out there is an important step toward staying ahead of them.
We provide employee security awareness training as part of our managed IT support service offering, but we know that managed IT may not be the best option for every organization.
That’s why we write easy-to-understand, informative articles like this one so you can learn for yourself what you need to know, so you can make the choice that’s right for you. We don’t believe in the hard sell. Instead, we believe that information is power.
What Is A QR Code?
QR (quick response) codes were invented in the 1990s by a Japanese company as a tool to label vehicle parts.
A series of black squares on a white background, QR codes contain data that can be read by an imaging device like a scanner or cell phone.
How Is A QR Code Like Or Unlike A UPC?
QR codes and UPCs (universal product codes) are similar in that they are both machine-readable and provide information when scanned. But the advantage of a QR code is that it provides a lot more information.
Traditional UPCs contain information in the form of black lines enclosed in a white box. These black lines include product description, weight, and date of manufacture.
Unlike a traditional UPC, a QR code can contain a variety of data ranging from contact information (like URLs, emails, or telephone numbers) to events that will populate on your calendar, to text (coupons, road race results or restaurant menus for example) to geographic location.
They also can be used to connect to a wireless network.
Widely implemented in medical and food service establishments to replace physical or paper documents during the COVID-19 pandemic, QR codes are used throughout a variety of industries.
Types Of QR Codes
There are two types of QR codes: static and dynamic.
A static QR code is used for something that likely won’t change, such as a URL, while a dynamic QR code can be used over and over to send users to different places or provide different information at any given time.
How Are QR Codes Created?
There are both free and paid options for creating a QR code. Either option can be activated by anyone through a series of simple steps
Typically, businesses pay for a QR code because they know they want to use it long term.
Free QR codes are more often used for quick hit items like a sale or an event. Free QR codes are often reused when an event is over or when they are no longer active.
What Is Quishing?
Also known as QR phishing, quishing is a type of phishing attack that uses QR codes to either deliver malware that can then infect your devices and infrastructure or to trick users into providing access to sensitive information.
Phishing is just one form of social engineering scam.
Related article: What Is Social Engineering? Tactics, Impact & 6 Tips To Avoid It
What Could A Quishing Scam Look Like?
Some of the recent scams I’ve heard about are emails asking users to scan the enclosed QR code to “safely and easily” delete email messages from their “full” inbox.
There are also fake QR codes sent to “verify” package delivery, banking information, or that arrive with the promise of coupons. And even QR codes that lead you to fake charity organizations. Trust, but verify!
Keep in mind that with remote work, employees may check personal email on work devices (phones, etc.) which could put your infrastructure at risk.
Who Can Be Targeted?
While these scams target individuals, your employees could fall victim to a quishing scam while handling their business activities, so it’s important to keep them updated on all types of cyber threats.
One way to keep employees mindful of security and alert them to emerging threats is to provide regular employee security awareness training.
Related article: What Is Employee Security Awareness Training? Do I Need It?
7 Ways To Prevent Quishing Scams
Even when you are in a familiar setting, it’s important to keep your guard up. You could be sitting at a restaurant and scan the QR code for a menu, but instead be rerouted to a fraudulent site.
Here are some safety precautions that you can use to stay safe:
The first step in avoiding phishing scams is to make sure you keep your email/network filters up to date. While this won’t protect you from everything, it’s a good place to start and will keep your devices protected from the latest known malware and viruses.
Before clicking on a QR code, hover over it with your device (cell phone or scanner).
Check to see that the link connected to the QR code looks legitimate before you scan it. Are there misspellings? If the QR code was sent to you, what time was it sent? If it was outside of normal working hours, that should raise a red flag. Don’t automatically scan and click.
Let me add one other piece of advice: Be suspicious of any unsolicited communication that has a sense of urgency and encourages you to click on it, no matter if it arrives via text, email, or is sent as a QR code.
The link should go to a secure site. This can often be indicated by an “https” prefix, but this is not a guarantee of legitimacy.
Whether the QR code takes you to a web address or asks you to download an app, try to verify the link separately by typing the address into your browser or calling an organization directly before clicking on the link associated with the QR code.
You should never be asked to provide personal or sensitive information via a QR code.
Always be suspicious when people ask for login, financial, or other sensitive information (birth date, account numbers, etc.) via a QR code or any other means and verify the request directly before providing the information.
We’ve all heard the old adage “If something sounds too good to be true, it probably is.” Could that coupon for a free television be legitimate? Yes. Is it likely to be legitimate? Common sense would say no.
6. Back up
Back up your data on all devices often. That way, when something happens, you will be able to restore your data more easily.
Related article: Data Backups Are Key To Disaster Recovery
I know I’ve already mentioned this, but it’s important, so I’ll repeat it.
Consider offering cybersecurity awareness training to your employees. They can’t be expected to protect against threats they don’t know about. Keeping cybersecurity issues like phishing at the top of everyone’s mind regularly is the best way to protect your organization.
Not sure what topics to cover? Read this article to learn 3 topics all cybersecurity awareness training must include.
What’s The Bottom Line?
While QR codes can be safe, they are an easy way for scammers to target unsuspecting victims because they all look similar.
In this article, we’ve explained what a QR code is and how it differs from a UPC code. We’ve talked about static and dynamic QR codes and when each might be used. We’ve explored how QR codes are created and how they can be used in quishing scams.
We also provided information about who these types of scams target, and how to keep your data and infrastructure safe from quishing and other phishing attacks.
At this point, you know what to look for. The best guidance I can give you is to pause and consider the source before scanning a QR code or clicking on any links.
In addition, seriously consider providing security awareness training for your employees. (I know…it’s the third time I’ve mentioned it.) Here’s why: it is one of the most effective and underused cybersecurity tools available today. Read this article for a cost-benefit analysis of security awareness training.
If you are finding it difficult to keep up with ever-changing cyber threats, read this article to learn your options for external IT support. And, don’t forget to explore several providers to find one that is the right fit for you.