QR codes have become standard for mobile payments, marketing, parking apps, and restaurants. And like any convenient, ubiquitous technology, cybercriminals have found a way to exploit them.
Last year, the FTC issued a warning about scam QR codes, and the United States Postal Service did the same. Both organizations noted that the familiar barcodes were being used as part of a new type of phishing attack — dubbed “quishing” — to trick victims into giving up passwords, financial data, and other personal information.
How quishing attacks work
Quishing attacks come in a few varieties. Sometimes, they arrive as part of a traditional phishing email, luring victims to scan the code on their phones and sending them to fraudulent websites. In others, they may arrive as part of a PDF attachment. In some cases, criminals will paste the QR codes in public areas or near parking lots to trick pedestrians into scanning them. In England, for example, scammers are pasting these codes onto parking meters.
According to Barracuda data, more than half a million phishing emails have been detected with QR codes embedded in PDF documents. From mid-June to mid-September this year, Barracuda found these QR codes in PDFs that leveraged brand impersonation and urgency to trick victims into responding. Previously, these codes tended to appear in the body of the email, so the shift to PDFs marks a change in tactics.
Microsoft was impersonated in over half of the attacks, followed by DocuSign and Adobe. The PDF documents include the QR code, but there are no other external links or embedded files. Recipients are instructed to scan the code with their mobile phone to see a file or sign a document, and they are then directed to a phishing website to steal login credentials.
This approach using QR codes is clever and difficult to detect since there are no suspicious links or attachments that traditional security solutions would typically spot, and victims use their personal phones (which are less protected than company-owned devices or desktop systems) to scan the code.
Barracuda researchers also noted in their report that the quishing attacks increasingly target small to midsize businesses (SMBs) and companies in industries like finance, healthcare, and education (which deal in sensitive data).
Best practices for protecting your customers from quishing attacks
For MSPs, quishing is another attack variation that will impact clients across industries. MSPs should educate clients about the threat and help them implement best practices to prevent security breaches.
First, ensure clients instruct employees to be careful about scanning QR codes they receive via email. They should be 100% certain that the code came from a legitimate source and verify this by checking the website links, email addresses, and phone numbers associated with these queries. End-user education is a critical first line of defense against these types of social engineering attacks. Ensure employees know how to spot these emails and that there is a clear process for reporting potential phishing attacks.
Encourage clients to have employees boost the security of their personal phones — and discourage them from using those devices to scan QR codes from work emails. Phones should be updated with strong passwords, multifactor authentication, and the most recent operating system version. Companies should also institute clear policies around personal device use at work.
Install a holistic, multilayered email security solution to block phishing emails. Configure email filters to block or quarantine emails containing QR codes from unknown or untrusted sources. Customize rules to trigger additional scrutiny for emails with QR codes. Regularly audit email logs to identify trends in QR-code phishing attempts. Use these insights to enhance your detection rules and improve user education programs.
Leverage artificial intelligence and other advanced technology to augment client security. Quishing emails are designed to bypass traditional email security. AI-based solutions will analyze the behavior of emails containing QR codes, such as unusual sender-recipient patterns or mismatched headers.....more here