By Need

By Industry

By Function

Cybersecurity & Risk Management

Understanding Quishing Cybersecurity Attacks

A digital representation of a QR code

Cyber Monday is a day of increased sales and revenue for retailers. However, for CISOs, it’s also a period of heightened cybersecurity threats. In years past, CISOs were on the lookout for phishing, then smishing, and this year’s Cyber Monday threat du jour will likely be Quishing, or QR phishing. Let’s look at how criminals conduct quishing attacks, why they are likely to increase during Cyber Monday, and how both businesses and individuals can safeguard themselves against these attacks.

What Is Quishing?

Quishing is a relatively new form of cyberattack that leverages the ubiquity and convenience of QR codes to deceive individuals. In a quishing attack, scammers embed malicious URLs into QR codes. When an unsuspecting user scans the QR code, they are directed to fraudulent websites that can contain malware or steal personal information.

How Do Quishing Attacks Work?

Quishing attacks typically begin with an email campaign. Scammers send emails that appear to be from reputable companies or brands but are actually from copycats. These emails often contain QR codes that, when scanned, redirect the user to a malicious website. The emails may promise discounts or special offers to entice the recipient to scan the QR code.

The malicious websites to which victims are led may look legitimate but often have telltale signs of fraud, such as:

  • Misspelled words
  • Poorly-designed page layouts
  • Low-quality images and/or outdated logos

These fake sites often prompt users to enter personal information or download files that infect their devices with malware. Once the scammer has captured your personal information, the quishing attack is successful.

What Are the Differences Between Phishing, Smishing, and Quishing Attacks?

Most people have heard of phishing email scams. Many have heard of smishing scams that target SMS text rather than email. During the holiday season and particularly around Cyber Monday, criminals ramp up their phishing and smishing attacks in the hopes of scamming already-frenzied online shoppers. Employees at non-retail businesses are not immune, as criminals will often identify themselves as a manager or corporate executive in emails or texts asking employees to purchase and send gift cards to them. Everyone should be diligent about cybersecurity, and we recommend that anyone receiving an email or text like that should always reach out to their corporate IT security.

Quishing is similar to established phishing and smishing attacks. All three direct victims to give up personal information or entice the download of malicious payloads for criminal purposes. However, there are many differences between these three types of attacks.

The following table outlines the key differences while highlighting their attack methods, typical targets, and best practices for prevention and response:

DefinitionA scam that involves sending fraudulent emails pretending to be from reputable sources to steal personal information.A scam that uses text messages (SMS) to trick people into giving away personal information.A scam that uses QR codes embedded with malicious URLs.
Medium UsedEmails that may contain links to fake websites or malicious attachments.Text messages that may include links to malicious websites or prompt for personal details.QR codes typically sent via email or found in public spaces.
TargetAny device with access to email, such as computers, smartphones, or tablets.Mobile devices capable of receiving SMS messages.Mobile devices with a camera and QR code scanning capability.
Common IndicatorsSuspicious email addresses, generic greetings, unexpected attachments, and links to fake websites.Unsolicited text messages with urgent requests for information or prompts to click on unknown links.Emails with QR codes promising offers, poor design, and misspellings on the landing page.
Preventive MeasuresUse email filters, verify sender information, and never click on unsolicited links or attachments.Don’t respond to or click links in unsolicited texts, use a number-blocking app, and verify the sender’s identity.Avoid scanning QR codes from unknown sources and check website security before entering information.
Impact to BusinessCan result in significant data loss and financial fraud.Can compromise personal and business information leading to fraud or unauthorized account access.Can lead to data breaches if employees scan malicious QR codes.
Response When AttackedReport phishing emails, change compromised passwords, and monitor accounts for unusual activity.Alert your service provider, change passwords, and monitor for identity theft or fraud.Change passwords, secure financial accounts, and enable two-factor authentication.

It’s important to note that while the methods of delivery differ, the goal of these attacks is often the same: to steal personal information or gain unauthorized access to accounts.

How Can You Avoid Quishing Attacks?

As Cyber Monday approaches, a time when online shopping hits its peak, it’s important to be extra vigilant about cybersecurity threats. It’s likely quishing attacks will increase 50% this holiday season and you can protect yourself using these five tips:

  1. Scrutinize Emails: Cyber Monday deals flood our inboxes, but so do potential quishing attempts. Carefully check emails for signs of quishing like generic greetings or misspelled words.
  2. Verify QR Codes: With offers aplenty, scammers may send QR codes via email promising incredible deals. Always verify the source before scanning.
  3. Check Website Security: Before making any purchase, ensure the website is secure by looking for the lock icon and “https” in the URL.
  4. Avoid Entering Personal Information: If a QR code leads you to a website, double-check its legitimacy before inputting any sensitive data.
  5. Enable Two-Factor Authentication: For all your accounts, especially those involving financial transactions, enable two-factor authentication for an extra layer of security.

Protecting Employees From Quishing

Quishing attacks are quickly becoming as significant as phishing attacks, so it’s crucial to be aware of potential threats that could impact business operations.

To safeguard your business, train all employees to never scan QR codes received via email. Remind employees of the established processes your partners and suppliers use for connecting to extranet portals and other business-to-business online transactions. Be sure to inform employees about how QR codes are rarely (if ever) used for account verification in these situations.

While QR codes are prevalent in the digital world, it’s also best to avoid scanning random QR codes you may come across in public spaces. This means you shouldn’t scan a QR code on a flyer that’s hastily printed on a cheap inkjet and taped to a lamppost outside of a subway terminal. Of course, this doesn’t mean you shouldn’t scan QR codes in controlled environments such as a business conference—unless you’re attending a cybersecurity conference and that’s on you to be smart about what you scan. Regardless, always err on the side of caution.

Blue Mantis Cybersecurity & Risk Management Teams Can Help

Quishing attacks will increase on Cyber Monday and into the holiday season, but there are steps businesses can take beyond just the tips outlined above. Blue Mantis Cybersecurity & Risk Management experts can work with your business to design and deploy a comprehensive solution to combat quishing, phishing, smishing, and other attacks that can disrupt your operations. Connect with one of our experts to see how we can protect your employees against cybersecurity threats.

Rob Fitzgerald

Field CISO Cybersecurity & Risk Management

Rob is the Field CISO of Blue Mantis and the former founder/CEO of Arcas Risk Management (acquired by Blue Mantis in March 2023). Rob specializes in cybersecurity consulting with a focus on developing and implementing cost effective, enterprise-class solutions for organizations of all sizes. He is passionate about developing cybersecurity talent while ensuring organizations of any size have access to experienced cybersecurity, risk management, and compliance resources.