SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Cloud Services
#
Cybersecurity
#
Malware
Rise in 'quishing' attacks exploits growth in QR code usage
Wed, 28th Feb 2024
Author image
By Sean Mitchell, Publisher
Follow us

The use of QR codes is on the rise globally, and with it, a new form of phishing attack, warns Josh Cigna, a solutions architect at Yubico. An increasing number of cyber criminals are leveraging the popularity of QR codes to carry out what has become known as quishing, or QR code phishing attacks.

Phishing attacks, which trick users into divulging personal data or performing an action such as downloading malware, are the most common form of online account breach today, thanks to their cost-effectiveness and high success rate. Traditionally carried out via emails containing deceptive links or attachments, phishing scams have also been propagated through text messages or even telephone calls.

Phishing scams can convincingly imitate messages from reputed brands, leading 44% of users to perceive emails from trusted brands as safe. Yet, in a twist to this tactic, cyber criminals are now utilising QR codes as tools for phishing attacks, observes Cigna.

QR codes, which are essentially a type of barcodes that smartphone cameras can read, are versatile in their capability to store plain text or links for a variety of uses. In 2022, a reported 83.4 million US smartphone users scanned QR codes, and this figure is projected to hit 99.5 million by 2025. The enhanced usage of QR codes has rendered them attractive bait for phishing attempts.

Quishing attacks exploit either physical or digital QR codes to draw users to counterfeit websites created to extract personal information, or ply with malware. Often, like traditional phishing, there's an element of urgency around a benefit or consequence. As per Cigna, there was a 51% uptick in quishing attempts in September 2023 compared to the combined figure for the period January through August 2023. The same month saw 9.5% of all scanned QR codes being malicious.

Cigna provides some illustrations of how a QR-based phishing attack operates. For instance, a fake QR code attached to a bank door prompts users to log into their bank account to enter a contest, thereby potentially revealing their banking credentials for fraudulent purposes. Similarly, an email supposedly from a known retailer containing a fraudulent QR code can fool users into divulging their private data, which can subsequently be sold on the black market or used for further phishing offensives.

So how can one guard against QR code phishing attacks? Cigna offers a few key recommendations to strengthen security. These include verifying the legitimacy of the QR code's source, being circumspect when sharing personal information, being cautious of payment methods, and enabling strong, phishing-resistant multi-factor authentication (MFA) across all accounts. In particular, device-bound passkeys, such as hardware security keys like the YubiKey, can provide robust protection by requiring a password as well as physical interaction with a security key for account access.

Related stories
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
GitHub's 2FA initiative helps secure software supply chain
Jason Haddix joins Flare as Field Chief Information Security Officer
AI tools linked to data exposure in 1 in 5 UK organisations
Trend Micro introduces AI-driven cyber risk management features
Top stories
Australian businesses fast-track Microsoft cloud adoption amid cyber threats
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity