Mobile Security Blog | Pradeo

Quishing: when a QR code becomes a trap

Written by Caroline Borriello | December 06, 2023

The threat landscape is evolving by the day. The latest phenomenon, Quishing, exploits QR codes to trick their target. These widely used codes are a simple and effective way to link the physical and digital worlds. They are used on packaging, posters and even business cards to easily direct their audience to a website. This practical, democratized tool is being hijacked by cybercriminals, becoming a new threat to users. But what exactly is Quishing?

The term "Quishing" comes from the contraction of "QR" (for Quick Response) and "Phishing". While classic phishing mainly exploits links or email attachments to deceive its victims, Quishing uses QR codes.

Quishing has the same malicious intentions as phishing or smishing messages. It aims to trick individuals into divulging sensitive information, such as login credentials, financial data or other personal details.

 

What’s new in the world of phishing attacks?

Phishing is an scam technique that usually begins with an e-mail. The mail appears to come from a legitimate source, and presents an often attractive request. The victim is enticed to click on a link in the e-mail, and is then redirected to a fake website that may perfectly mimic a legitimate financial institution, online service or other entity. This fraudulent site is specifically designed to collect sensitive information such as login credentials, financial information, or personal data. Smishing follows an identical approach, relying on an SMS rather than an e-mail.

With Quishing, the objective remains the same, but this time the malicious link is hidden behind a QR code. This code can be sent by e-mail or even physically pasted onto an existing QR code in stores, banks or even parking lots.

 

A trap that's difficult to detect

Quishing is more dangerous than traditional phishing because it is more complex to identify.

First of all, phishing and smishing attacks are better known to users, and can be partially thwarted by e-mail spam filters. However, they are becoming increasingly sophisticated, relying on generative artificial intelligence to imitate the source they impersonate as closely as possible. Users need to be very vigilant about the sender (email, name, etc.) and the malicious link in order to thwart these data theft attempts.

Quishing, on the other hand, is still relatively unknown. In addition, the trust placed in QR codes, particularly on physical surfaces such as stores or parking lots, increases the risk.

Last but not least, QR codes are designed to be scanned by a cell phone, with the fraudulent link opening directly on the screen. Unlike a computer interface, mobile links are often less visible, making it more difficult to identify malicious pages. This key feature of Quishing significantly increases the risk to users.

 

Best practices

These tips help you avoid falling for the Quishing scam:

  1. Beware of additional stickers featuring a QR code.
  2. If in doubt, avoid from scanning the QR code and go to the official website on your own.
  3. If you choose to scan the QR code, always make sure that the website address you are redirected to is official. Look carefully at the address, spelling, graphics and logo.

 

Professional protection against Quishing

By integrating mobile terminals into their environment, or allowing personal smartphones to be used for business purposes (BYOD), companies are becoming attractive targets for Quishing attacks. In the face of this growing threat, an effective approach is to adopt a Mobile Threat Defense (MTD) solution.

MTD acts in real time, detecting malicious links before the user can manipulate or provide sensitive information. This solution offers comprehensive protection, covering not only Quishing, but also classic phishing and smishing (SMS phishing). In addition, mobile fleet protection extends to the detection and prevention of threats from applications (malicious and intrusive), the network (open WiFi, Man-In-The-Middle attacks, etc.) and the system (out-of-date OS, configuration manipulation, etc.).

 

 

Quishing, taking advantage of QR codes, is a growing threat. Hidden behind the apparent simplicity of QR codes, attackers take advantage of the trust placed in these ubiquitous codes.

Quishing is more complex to detect than traditional phishing, and requires greater vigilance. Good practices, such as distrusting QR codes and checking redirects, are crucial to guarding against this threat.

Professional protection against Quishing requires the adoption of advanced solutions such as MTD (Mobile Threat Defense), which detects malicious links before any user manipulation. This way, companies and individuals can strengthen their digital security in the face of this dangerous trend in online attacks.