Quick response, or QR codes, are ubiquitous. Businesses use them for everything from contactless access to restaurant menus and user manuals to providing payment and shopping links, making it easy for customers to access digital resources on their mobile devices. However, these codes have also created a growing security threat to businesses, as cybercriminals can use them to bypass multifactor authentication protocols and steal login credentials. Hackers launch so-called “quishing” attacks by connecting users to a website that impersonates a legitimate login page when they scan the code on their mobile device.
How Quishing Attacks Work
Exploiting QR codes for phishing is effective for one key reason: they exploit users’ trust in digital scanning and barcode technology. For the average person, scanning a code in a cafe doesn’t present any risk, and most of us do it regularly without any issues.
This widespread trust makes it easier for hackers to exploit the codes for nefarious purposes. A recent attack on cybersecurity firm Sophos illustrates exactly how these attacks work.
Hackers embed the codes in seemingly innocuous emails, usually appearing to come from an internal email address. When the recipient scanned the code related to employee benefits, it directed them to a malicious site designed to look like a legitimate login page. Almost immediately after they entered their login credentials and MFA token, the hackers attempted to access a secure internal application.
The network settings thwarted the Sophos attack almost immediately. However, the incident highlighted potential dangers in this form of mobile interaction.
QR Codes Make It Easy for Hackers To Evade Detection
Quishing marks an evolution in phishing, making it much easier for hackers to get around email security tools designed to stop phishing attacks.
Email security filters typically filter messages with suspicious URLs, keeping them out of employee inboxes. QR codes, by default, hide URLs so the messages can slip through and reach their intended targets. When combined with other proven phishing tactics, such as social engineering, appealing to urgency and emotion, and abusing trusted domains, there’s a greater chance that the recipient will respond and inadvertently expose their credentials.
Can You Avoid Quishing Attacks?
In some ways, it’s easier to avoid falling victim to a quishing attack than other cyberattacks: you won’t have any trouble if you don’t scan the code in the email.
That said, it’s still important to follow a few best practices, including:
- Implementing endpoint security, which will catch malicious URLs hidden in QR codes
- Ongoing education about identifying phishing messages
- Confirming the message with the purported sender
- Checking the legitimacy of the URL embedded in the code, especially when it asks for sensitive data
If your company relies on QR codes to connect to digital resources, implement code encryption technology to ensure it doesn’t fall into the wrong hands and become a weapon hackers can use against you.
