Table of Contents
QR codes are everywhere these days. These matrix barcodes take users virtually anywhere online when scanned with a smartphone’s camera or a scanning device. From restaurant menus to concert tickets, they’ve become a convenient way to access information and make contactless payments. But with this convenience comes a growing security threat, called the quishing attacks.
The convenience and popularity of QR codes make them a prime target for cybercriminals. According to a recent report, QR code-based payments are expected to attract millions of users by 2025, with an equivalent of 29% of global smartphone users and equaling to $2.71 trillion.
This emerging threat in the cybersecurity landscape is exploiting human trust because around 80% of US users trust QR codes and they never expect that a simple QR code scan could potentially exploit them.
The Broader Context: Phishing and Social Engineering
Quishing is just one type of social engineering attack, a broader category that includes phishing, smishing (phishing via SMS), and vishing (phishing via phone calls). All these attacks aim to trick victims into divulging personal information, such as login credentials or credit card numbers.
As highlighted by Griff Harris, the president and CEO of Griffith E Harris Insurance Service while talking to PureVPN, “Scammers leverage QR codes to direct people to malicious websites, making it easy to fall victim if you’re not vigilant.”
Scammers create a sense of urgency or offer enticing rewards to trick you into scanning the QR code. Once you scan, you could be directed to a website that looks legitimate but is designed to steal your login credentials, financial information, or other sensitive data.
Source: Egress: Phishing Threat Trends, April 2024
In 2023, social engineering attacks that didn’t involve traditional payloads like malware attachments or hyperlinks saw a significant rise, accounting for nearly 19% of all phishing attacks.
This increase is partly attributed to the use of generative AI, which allows scammers to craft more convincing and personalized messages. Moreover, Robert Barrows, president of R.M. Barrows, Inc. Advertising and Public Relations discusses the Heinz scandal, “In the Heinz case, a person had scanned a QR code about a contest that had already expired, and the old QR code now connected to a website that was a porn site.”
Source: Egress: Phishing Threat Trends, April 2024
The Evolution of QR Code Phishing
The resurgence of quishing attacks coincides with the increased use of QR codes during the COVID-19 pandemic. Initially used for contactless payments and digital menus, QR codes quickly became a common tool for accessing information and services. However, this convenience also made them a target for cybercriminals.
Cameron Lee, CEO of ACCURL, also shared his personal experience.
“A few months ago, I received a QR code on what seemed to be an official-looking email from a supplier. The QR code was supposed to lead to a technical specification document. Given our constant pursuit of the latest technologies and improvements, I decided to scan it,” he told PureVPN. “Immediately, I realized something was off. Instead of the usual supplier’s website, I was redirected to a generic login page asking for my credentials.”
QR code manipulation can occur both digitally and physically. For instance, scammers might send an email with a QR code that directs victims to a counterfeit website. Alternatively, they might place stickers with altered QR codes on public posters or advertisements. When scanned, these fake QR codes can capture sensitive data or direct payments to fraudulent accounts.
Read more: Watch out! QR codes becoming cemented to phishing attacks
Phishing’s Deceptive Cousin – Quishing Attacks
Source: Keepnet
Another concerning trend is the increasing use of social engineering in phishing attacks overall. In 2023, nearly one-fifth of phishing attempts relied solely on social engineering, often using tactics enabled by generative AI. This highlights the growing sophistication of cybercriminals and the need for heightened vigilance.
Read more: Don’t scan QR code before reading this guide
The Rise of Quishing Attacks
Source: Keepnet
Quishing attacks, a portmanteau of “QR” and “phishing,” are sophisticated forms of phishing that use QR codes to deceive individuals. The QR code dates back to 1994 but gained prominence in 2020 as the world switched to a contactless lifestyle as a preventive measure against COVID-19.
Unlike traditional phishing, which often involves deceptive emails or websites, quishing uses QR codes to direct victims to malicious sites, install malware on their devices or steal sensitive data. This modern twist on phishing takes advantage of the widespread use of QR code scanners and the inherent trust users place in these codes.
Source: Keepnet
In recent years, the incidence of quishing attacks has skyrocketed. According to a report, in 2023, QR scan scams have surged to 12.4% and have continued at 10.8% into 2024. This dramatic increase highlights how cybercriminals are effectively leveraging the technology to exploit consumer familiarity and complacency.
Mark McShane, Founder of Cupid PR, shared his personal experience while talking to PureVPN, “A few months ago, I encountered a suspicious QR code while attending a conference. It was part of a promotional flyer, seemingly harmless. However, upon scanning, I was redirected to a site that immediately raised red flags. Thankfully, I exited quickly and reported it to the organizers, but it was a stark reminder of the hidden risks associated with QR codes.”
How Scammers Exploit Common Places to Steal Your Information
The following tactics are designed to create panic and prevent you from taking a second look. The fake QR codes can be found in a variety of places, including:
- Emails
A scammer might send you an email with a QR code, claiming there’s an issue with your account or offering a fake discount. Scanning the code could take you to a spoofed website designed to steal your login credentials, credit card numbers, or other personal information (PI).
- Social Media
Malicious QR codes might be embedded in social media posts, promising exclusive content or free trials. Scanning them could lead you to malware-laden websites or phishing attempts.
- Public Places
Criminals have been known to place stickers with fake QR codes over legitimate ones on parking meters, event posters, or even product packaging. Scanning these could result in stolen payment information or lead you to a fake website.
Moreover, according to Ivanti research, 43% of respondents have scanned a QR code in the past week. That’s not all, 83% of global users opt for the QR payment method.
“During a penetration test for a client, we encountered a scenario where a seemingly harmless QR code on a poster in their workspace led to a phishing site designed to capture login credentials. This incident underscored the importance of rigorous security protocols and demonstrated how easily people can be deceived,” Philipp Staiger, Co-founder & COO of Priverion, told PureVPN.
How Quishing Attacks Work
Quishing attacks typically start with a seemingly innocent QR code. Scammers might cover legitimate QR codes on parking meters with their own or send QR codes via text messages or emails.
These QR codes often lead to spoofed websites designed to steal sensitive information. For example, a fake QR code might direct you to a site that looks like your bank’s login page, tricking you into entering your email address and password.
Here are some common scenarios where quishing attacks occur:
- Package Delivery Scams
You receive a message claiming there was an issue with your package delivery, urging you to scan a QR code to reschedule.
- Account Problems
Scammers pose as legitimate companies, warning you of suspicious activity and asking you to scan a QR code to verify your account.
- Urgent Security Alerts
You get an alert about a supposed security issue with your account, prompting you to scan a QR code to change your password.
Rajesh Namase, co-founder and professional tech blogger at TechRT, further highlights the need for individuals to take precautionary measures.
“People should follow best practices to avoid falling for ‘quishing’ scams. For example, they should check the QR code’s source before scanning it, only use trusted scanning apps with built-in security features, and stay away from QR codes they get in emails or texts they didn’t ask for,” he told PureVPN.
These tactics create a sense of urgency, compelling victims to scan the QR code without thinking. Once the code is scanned, it can lead to a spoofed site where scammers harvest sensitive data, or it might download malware that steals information from your device.
Read more: QR Codes to Steal Your Money: Beware While Parking Cars
The Impact and Statistics of Quishing Attacks
The impact of quishing attacks on cybersecurity teams globally has been profound. The shift from traditional phishing methods to QR code-based attacks demonstrates how adaptable and innovative cybercriminals can be. The statistics speak for themselves:
QR code phishing growth surged from 0.8% of phishing attacks in 2021 to 12.4% in 2023. According to Keepnet labs, in 2024, Quishing statistics revealed a concerning rise in these types of QR code attacks. A total of 8,878 quishing incidents took place. Out of these, only 36% of QR code phishing attacks were accurately identified. Moreover, June witnessed the peak of this trend, with 5,063 reported cases of QR scams.
Source: Keepnet
According to the report, the Energy sector is the most vulnerable, receiving 29% of over 1,000 malware-infested phishing email QR codes. These QR code phishing statistics also show that manufacturing, insurance, technology, and financial services sectors are also at high risk, indicating a strategic focus by cybercriminals on sectors they perceive as either more lucrative or vulnerable.
Source: Keepnet
Executives experienced 42 times more QR code phishing attacks than the average employee. This alarming quishing statistic underscores the heightened risk that high-ranking professionals face in the digital landscape. Cybercriminals target executives due to their access to sensitive information and decision-making power within organizations.
Staying Safe in a QR World
Source: Keepnet
Don’t become another victim of quishing! Here are some steps you can take to protect yourself:
1. Don’t Scan Blindly
Before scanning any QR code, especially one from an unknown source, take a moment to question its legitimacy. Instead of scanning a QR code, verify the website address it leads to and manually type it into your browser.
2. Inspect the Source
If you receive a QR code in an email, text, or social media post, be wary of the sender. Don’t scan codes from unknown or suspicious sources. Please, don’t scan it, until and unless you completely trust the person or company.
3. Think Before You Click
Even if the QR code seems legitimate, don’t enter any personal information on a website you reach through a scan. There are chances that it is a phishing website and you could lose your personal and sensitive data.
4. Invest in Security Solutions
Consider security software with QR code scanning capabilities that can warn you of potentially malicious links.
5. Stay informed
Educate yourself about the latest phishing tactics, including quishing. The more you know, the better equipped you are to protect yourself. Moreover, legitimate companies won’t ask you to update your login credentials or financial information through a QR code.
6. Secure Devices
Keep devices and software updated to protect against malware that could be installed through quishing attacks.
By staying vigilant and adopting these simple security measures, you can navigate the world of QR codes safely and avoid falling victim to quishing scams. Remember, your personal information is valuable, so don’t let it be “fished” away by a malicious QR code.
The Future of Quishing
Quishing and QR code scams are becoming more sophisticated, and cybercriminals are increasingly relying on social engineering tactics and artificial intelligence to bypass traditional security measures.
Quishing attacks represent a significant threat in the evolving landscape of cybersecurity. By exploiting human trust in QR codes, scammers can steal sensitive data, including login credentials, financial information, and personal details.
As the use of QR codes continues to grow, so too does the need for vigilance and robust security measures. Understanding the tactics used in quishing attacks and staying informed about the latest trends in cybersecurity can help individuals and organizations protect themselves from these sophisticated threats.
Remember, if something seems too good to be true, it probably is. Don’t let a seemingly harmless QR code become your gateway to a cybersecurity nightmare.
For more updates on the latest cybersecurity threats and tips to stay safe online, follow PureVPN Blog.
Read more: How Deepfake is Becoming the Greatest Threat to Social Media Influencers