By: Pranay Manek, Systems Engineering Manager for Barracuda
When you hear the term “phishing,” you are likely to imagine fraudulent emails with malicious links, designed to trick you into sharing information or compromising your security. Phishing is a relatively low-cost, easy-to-implement attack vector with potentially high rewards. As a result, the cybercriminals behind phishing are forever evolving, adapting, and innovating their methods. A recent weapon in their arsenal? QR codes. The type of phishing attacks that feature QR codes are known as ‘quishing’ attacks. Let’s take a closer look at this technique to understand how such attacks could impact you and your organization.
The rise of QR code-based attacks
QR codes are widely used and very convenient, offering seamless access to websites, files, or services with a simple scan on a smartphone device. They’ve also become another tool for cybercriminals to redirect unsuspecting users to malicious websites designed to steal sensitive information like login credentials or financial data.
What makes quishing so dangerous is the sophistication of the tactics and the cybercriminals’ ability to mimic trusted brands. For example, Microsoft, including SharePoint and OneDrive, accounted for 51% of impersonated brands, followed by DocuSign at 31% and Adobe at 15%. Some attacks even impersonated victims’ internal HR department.
Certain industries are particularly vulnerable to quishing attacks, including finance, healthcare, and education due to the sensitivity of their data. Small-to-medium businesses (SMBs) are also at heightened risk, as they often lack the resources and advanced security tools needed to combat more advanced threats.
Why quishing is hard to detect
Unlike traditional phishing, where malicious links are embedded in the body of an email, quishing attaches QR codes in the body of an email or in an attachment such as a PDF. Such PDFs are often framed as urgent requests, like accessing a file or signing a document, and rely on impersonation of trusted brands to convince victims to act quickly. According to recent threat research from Barracuda, more than half a million phishing emails with QR codes embedded in PDF documents were detected between June and September 2024.
The common thread of quishing attacks? QR codes lack direct links or embedded files, making them harder to detect. Victims are instructed to scan the QR code with their mobile devices, often bypassing corporate security measures and leading directly to phishing websites.
Quishing can represent a challenge for traditional security defenses. By separating the phishing content (QR code) from the email body, these attacks can evade email filters designed to scan for suspicious links or attachments. Furthermore, the use of multiple devices compounds the risk: while employees may open the email on a secure work device, they often scan the QR code with a personal mobile phone, which may lack equivalent security protections.
Defending against quishing
While quishing, like any kind of phishing is a potentially serious threat, it’s not an insurmountable one. Deploying multilayered email security including robust spam and malware filters, combined with regular health checks on email gateway settings, ensure that systems are optimally configured to counter evolving threats. Additionally, leveraging AI-powered email security solutions that analyze impersonation attempts within attachments can provide advanced detection and protection against quishing attacks.
Educating your workforce is equally important. Employees must be trained to recognize and report quishing attempts, especially those in unsolicited emails or documents. Finally, enabling multifactor authentication (MFA) adds an extra layer of security, safeguarding accounts even if credentials are compromised, and reducing the impact of successful phishing attempts.
Quishing underscores the dynamic and persistent nature of cyber threats. As attackers refine their techniques, organizations must remain vigilant and proactive. The combination of advanced technology, robust security protocols, and ongoing education can help thwart even the most cunning phishing attempts.