Quishing Campaigns Spike 50% in September
Security researchers have detected a double-digit percentage increase in incidents involving QR code phishing (quishing), as cyber-criminals exploit employee use of personal devices lacking enterprise protection.
The figures come from ReliaQuest analysis of customer incidents in its new Threat Spotlight Report. The threat intelligence vendor claimed to have seen 51% more incidents in September than in the whole of the period from January to August 2023.
ReliaQuest also spotted increased interest in the tactic on cybercrime forums, with members sharing links to QR code generators and articles about quishing techniques, as well as sharing tips such as sending QR codes via Telegram to direct victims to crypto phishing sites.
The report claimed that quishing takes advantage of “user ignorance and the lack of enterprise protection on personal devices that are often used to scan codes,” adding that the trend will only continue to grow.
Read more on QR code phishing: Police Issue “Quishing” Email Warning
The report highlighted four techniques fraudsters are using to make their quishing campaigns more successful:
- Pressuring targets via legitimate-looking phishing emails, which usually feature an explicit sense of urgency or warning of negative consequences if the user doesn’t scan the embedded QR code
- Masquerading as legitimate organizations in these emails and associated phishing pages. The scammer will often either hijack a legitimate email account in the spoofed organization or forge the sender address
- Hiding QR codes in PDF or JPEG email attachments. This tactic was used in 12% of the incidents seen by ReliaQuest. Although there’s typically a lower success rate for the scammers, they’re banking on the fact that security tools can’t extract embedded URLs from image files, so these emails will sail through defenses
- Domain redirection, which ReliaQuest noted in 18% of the cases it investigated. In many cases, the URL which the QR code will take the user to is a malicious domain, designed to appear legitimate through typosquatting techniques
The report urged organizations to mitigate the quishing threat through enhanced employee education and discouraging QR code-scanning on personal devices. Customized inbox rules and QR code-scanning apps that flag malicious redirects could also help, it claimed.