Cybercriminals have always been adept at abusing the latest technological developments in their attacks, and weaponizing QR codes is one of their most recent strategies. QR codes have grown in popularity as a method for digital information sharing due to their ease of use and functionality.
However, their widespread use has created a new channel for phishing attempts, namely QR code phishing (or quishing). With the NCSC recently warning of an increase in these attacks, businesses must grasp how QR codes can be used to compromise staff and what they can do to effectively protect against these rising threats.
Leaders at risk from QR code attacks
Quishing attacks, like traditional phishing campaigns, typically attempt to steal credentials by social engineering, in which an email is sent from a supposedly trusted source and uses urgent language to persuade the target to perform a specific action.
In a quishing attack, the target is frequently induced to scan a QR code disguised as a fake prompt, such as updating an expired password or examining a critical file. The malicious QR code will then direct visitors to a counterfeit login page, prompting them to enter - and ultimately expose - their credentials.
CEOs and senior executives, who have the system access, are naturally appealing targets due to the high value of account credentials. In fact, the study discovered that C-Suite members were 42 times more likely than other employees to receive QR code phishing assaults.
Quishing attacks mainly follow the same standard phishing strategy, in which social engineering is employed to control the victim's actions. However, when it comes to QR code phishing, cybercriminals appear to prefer two methods.
Data collected in the second half of 2023 revealed that QR codes were most commonly used in false notifications for MFA activity (27% of all QR assaults) and shared documents (21%). Whatever the explanation for the malicious code, the majority of QR assaults security experts detected are credential phishing attempts.
Prevention tips
The best defence is to keep these attacks from reaching their intended targets at all. However, it is becoming increasingly evident that these new phishing schemes outperform secure email gateways (SEGs) and other legacy email systems. Unfortunately, these safeguards were not intended to thoroughly detect QR code threats or assess the code's destination.
Businesses need to be aware that new threats like QR codes will outsmart many of the classic security solutions, forcing them to switch to more contemporary, dynamic strategies like AI-native detection technologies.
