Call Us : IDN +62-21-572-4712 – JPN +81-048-553-4655
  Call Us : IDN +62-21-572-4712 – JPN +81-048-553-4655
  Call Us : IDN +62-21-572-4712 – JPN +81-048-553-4655
  Call Us : IDN +62-21-572-4712 – JPN +81-048-553-4655

Outsmarting Quishing Scams: Your Step by Step Guide to Online Safety

Scammers are always devising new methods to exploit individuals in the digital era. One such method is through QR codes, which is a convenient way to access information and process payment swiftly yet can also be used maliciously.

When you use your mobile device camera to scan a QR code, the QR reader on your phone recognizes the code and redirects you to the URL of the website, PDF file, movie, etc. This basic technology is very secure because the QR code itself does not collect any personal information or track you in real-time. 

Despite this, scammers continue to exploit QR codes for phishing schemes with a deceptive tactic commonly known as “Quishing”.

Be Vigilant! What is Quishing?

The word “Quishing” itself is a combination of “QR” and “phishing”. Similar to phishing attacks, quishing is an extension which uses a QR code to deliver the URL instead of a hyperlink to a fraudulent or malicious website intended to manipulate users into :

1. Giving away personal information or financial details

2. Stealing their login credentials, or;

3. Infecting their devices with malware.

The increased frequency of this form of attack is mainly because most security systems only scan for malicious links and attachments, but by embedding a QR code in the email, they are often classified as harmless since embedded image cannot be detected.

A Look at Examples: How Quishing Works?

Case 1: Microsoft Look-Alike Page

In this particular quishing, the scammer impersonates Microsoft Support and emails the targets, encouraging the recipient to scan the QR code using their mobile camera for “connecting” MFA method to their Microsoft account in order to reset their password because of a security breech.

Fallen users are then directed to a fraudulent Microsoft login page, where login credentials are stolen.

There is absolutely no written content and textual data in the email body; the text, logos, and QR code are all actually a single image.

QR Code Embedded Within the Email Body as an Image

Case 2: Emails with Attachments

Using social engineering techniques, emails with malicious attachments may be sent by scammers pretending to be important documents or invoices. By opening these attachments, you run the risk of infecting your device with malware and losing all data.

Scan at Your Own Risk! How to Prevent Quishing?

Given that mobile phones tend to be less secure than the rest of the company’s network, scanning QR codes can be more dangerous than clicking on malicious URLs.

  1. NEVER SCAN A QR CODE FROM AN UNFAMILIAR SOURCE: This is crucial. Phishing through QR codes can easily bypass traditional defences mostly due to the inability to read the contents of embedded images.
  2. THINK BEFORE YOU SCAN: If you receive a QR code from a trusted source via email, always double-check the legitimacy – e.g., sender’s email address, domain, and contact information.
  3. Look for Red Flags: Be cautious of urgent messages, appeals to emotions, misspelled words, or requests for personal information.
  4. Use Antivirus Software: Install reliable antivirus software and keep it updated. Microsoft has been working on how to encounter this quishing risk and is currently developing queries to detect image attachments in emails. Consult with your IT Partner for further implementation.
  5. Enable Multi-Factor Authentication (MFA): Implement MFA to your accounts for extra layers of security as well as considering strong password policies.
  6. Avoid Jailbroken Devices: Although it may seem tempting to remove software restrictions in order to install third-party applications or unlock additional features, doing so frequently exposes the device to mobile security threats.

Taking Action After Falling Victim to Quishing: What to Do?

Failing to take action after is worse than falling victim to an attack. Here’s what you should do if, despite your company’s best measures, you or a member of your team becomes a victim of a phishing assault.

  1. Go offline immediately. Disconnect your devices from the internet to prevent other devices in the network from being infected and block further attempts from the scammer to remotely access your data.
  2. Change all account credentials. Especially emails, social media and online banking, including digital wallets and other sensitive financial applications.
  3. Report the incident to your IT Consultant, which will consequently report to legitimate entity like Microsoft and relevant cybersecurity authorities, so then your system can be scanned by Microsoft Analytics.
  4. Once you are clear, restore backups and monitor your accounts for suspicious activities.

The Bottomline

Quishing is a sophisticated new form of deception that exploits negligence and urgency. By staying alert, being cautious with emails and attachments, and following the preventative measures outlined in this newsletter, you can significantly reduce the risk of falling victim to quishing. Do not hesitate to contact us at WalkBrains to find out more about this threat and if you do encounter a quishing attempt, swift action and reporting are keys to mitigating the potential damage.

× Contact Us