What is Quishing?

By
2 Minutes Read

By Eddy Berry, Security Research Analyst, TraceSecurity

With new technologies and more convenient inventions are created, it can make life a lot easier. For example, QR codes, or quick-response code, have become a quick and easy way to access things like websites or information. However, with most new technologies, there are also those who seek to exploit these things. For example, bad actors are beginning to use QR codes as a form of social engineering, called quishing.

Quishing is a type of phishing that uses QR codes to lead people to malicious websites or programs. These bad actors put QR codes in various places, like emails, websites, and even business cards in an attempt to disguise a bad link. In a way, it’s very similar to a link in an email that you aren’t supposed to click and it should be treated as suspicious. As with any email, never click any link you don’t recognize, and at the same time, never scan a suspicious QR code.

What is a QR code?

A QR code, or quick-access code, is a type of barcode that can be scanned to connect you to a piece of data. Cameras and scanners can read this black box, providing information such as a website, an identifier, or locator. Most modern smartphones have a built-in QR code reader, but there are also apps that can provide the function if it doesn’t.

QR codes have become more popular over the past decade. Not only are they extremely easy to make, but they are also easy forms of advertisements and contact-sharing. People are putting them in commercials, on business cards, and even on video games. Realistically, if there isn’t an easy way to click a link, a QR code has become the norm in sharing information like websites or emails.

Quishing

As said above, quishing is a relatively new method of phishing that employs the use of a QR code to lead unsuspecting victims to malicious websites. These QR codes can be on anything, but beyond an email or social media, they can also be printed on physical things like business cards or flyers. Scanning these QR codes is never a good idea unless you trust the source that provided it.

During Super Bowl LVI in 2022, an advertisement showed up with a bouncing QR code. Millions of people scanned this QR code without knowing what it did. This could have infected millions of people with malware, hacks, and they could have stolen sensitive information. Thankfully, this wasn’t the case, but it is an example of how little people think of QR codes as a method of phishing.

Avoiding Quishing

While quishing is another type of phishing to worry about, the usual methods of avoiding it are very similar. The biggest thing to remember about cybersecurity is to never click on a link or download an attachment that you don’t trust. Treating everything with suspicion is a good way to protect your personal data and your workplace. Security awareness is always a good choice when it comes to preventing these attacks.

However, while modern smartphones can scan QR codes easily, most of them will show you the website or piece of data before activating it. A device will usually never automatically direct itself without input from the user. You have one more layer of security before it leads you to a malicious website. If you don’t recognize the website that the QR code is trying to take you to, don’t go to it.

Quishing is just another way that bad actors are trying to steal your information. It is a form of phishing that can lead you to a malicious website or install malware onto your device. Like all emails or voice calls, always be sure you know who is sending you information. Always double-check if you’re unsure of the source of the email or call, and never trust anything that is sent.

The same goes for QR codes. If you don’t know where a QR code comes from or where it leads to, never scan it and verify the source. Bad actors are using them to bring people to these dangerous websites in an attempt to steal information or hack devices. Despite these barcodes being an easier form of communication and information sharing, always treat it with the same scrutiny as an unknown email.

Connect with TraceSecurity to learn more.
Picture of TraceSecurity

TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.

Author

Recommended For You