What is quishing?
Quishing, or QR phishing, is a cyber security threat where attackers use QR codes to redirect victims to malicious websites or prompt victims to download harmful content. The goal of this attack is to steal sensitive information, such as passwords, financial data or personal identifiable information (PII) and use that information for other purposes, such as identity theft, financial fraud or ransomware.
Cyber Collab provides services that help organisations prevent, detect and respond to malicious cyber actors.
Why is quishing such a threat?
While traditional email phishing remains a common, and successful, means for malicious cyber actors to gain access to IT systems and data, public awareness campaigns and employer training have raised awareness so unintentional access to valuable assets is proving harder to obtain. Therefore, malicious cyber actors are using different means to access IT systems.
Quishing is a type of phishing which often bypasses conventional defences like secure email gateways. Notably, QR codes in emails are perceived by many secure email gateways as meaningless images, making users more vulnerable to this specific form of phishing attack.
How does quishing work?
In a quishing attack, cybercriminals generate a QR code that directs users to a harmful website. These QR codes are often embedded in phishing emails, social media posts, printed materials, or physical objects, where attackers use deceptive tactics to lure victims.
For instance, a victim might receive an email claiming they can listen to an encrypted voice message by scanning a QR code, with a potential reward such as a cash prize.
When victims scan the QR code with their phones, they are taken to a malicious site that may ask for sensitive information, such as login credentials, financial details, or personal data like their name, email address, date of birth, or account information.
Once this data is obtained, attackers can misuse it for activities like identity theft, financial fraud, or even ransomware attacks.
When receiving a communication inviting you to direct away from the original communication, consider that the Australian Bureau of Statistics reported in 2021-21, two thirds of Australians 15 years and over were exposed to a scam.
How can you avoid being a victim of quishing?
Check the source of your QR code
Inspect the sender’s email address, check if the domain is blacklisted and avoid scanning QR codes from unknown sources altogether.
Check the design and branding
Most brands create customised QR codes based on their branding. For instance, they may add their logo or use brand colours.
Examine and preview the URL
Fake QR codes often lead to a malicious website or app designed to capture your personal information or elicit money. Take care to preview the QR code’s URL and check if it leads to a secure website – those which have HTTPS in their address and appear with a padlock symbol.
Follow Cyber Collab on LinkedIn for everyday tips on staying cyber secure.
4 steps to take if you think you are victim of quishing
- If you think you have installed malicious software, run antivirus or security scan software on your devices to remove any malware.
- Report the incident through ReportCyber.
- If you think you have lost money, immediately report the transaction(s) to your bank or financial institution. You may also need to close any unauthorised accounts that have been opened in your name.
- Change your online passwords to secure your online accounts.
If you are concerned about your organisation’s cyber knowledge or security defence systems we can help you protect you from cyber incidents and attacks with our Board Education Program.