Scammers are always devising new methods to exploit individuals in the digital era. One such method is through QR codes, which is a convenient way to access information and process payment swiftly yet can also be used maliciously.
When you use your mobile device camera to scan a QR code, the QR reader on your phone recognizes the code and redirects you to the URL of the website, PDF file, movie, etc. This basic technology is very secure because the QR code itself does not collect any personal information or track you in real-time.
Despite this, scammers continue to exploit QR codes for phishing schemes with a deceptive tactic commonly known as “Quishing”.
The word “Quishing” itself is a combination of “QR” and “phishing”. Similar to phishing attacks, quishing is an extension which uses a QR code to deliver the URL instead of a hyperlink to a fraudulent or malicious website intended to manipulate users into :
The increased frequency of this form of attack is mainly because most security systems only scan for malicious links and attachments, but by embedding a QR code in the email, they are often classified as harmless since embedded image cannot be detected.
Case 1: Microsoft Look-Alike Page
In this particular quishing, the scammer impersonates Microsoft Support and emails the targets, encouraging the recipient to scan the QR code using their mobile camera for “connecting” MFA method to their Microsoft account in order to reset their password because of a security breech.
Fallen users are then directed to a fraudulent Microsoft login page, where login credentials are stolen.
There is absolutely no written content and textual data in the email body; the text, logos, and QR code are all actually a single image.
QR Code Embedded Within the Email Body as an Image
Case 2: Emails with Attachments
Using social engineering techniques, emails with malicious attachments may be sent by scammers pretending to be important documents or invoices. By opening these attachments, you run the risk of infecting your device with malware and losing all data.
Given that mobile phones tend to be less secure than the rest of the company’s network, scanning QR codes can be more dangerous than clicking on malicious URLs.
Failing to take action after is worse than falling victim to an attack. Here’s what you should do if, despite your company’s best measures, you or a member of your team becomes a victim of a phishing assault.
Quishing is a sophisticated new form of deception that exploits negligence and urgency. By staying alert, being cautious with emails and attachments, and following the preventative measures outlined in this newsletter, you can significantly reduce the risk of falling victim to quishing. Do not hesitate to contact us at WalkBrains to find out more about this threat and if you do encounter a quishing attempt, swift action and reporting are keys to mitigating the potential damage.