Understanding The Threat Of QR Codes & Quishing

Most organizations have security controls in place to inspect URLs in emails to prevent the risk of credential phishing and business email compromise (BEC) attacks. However, adversaries have pivoted their tactics in order to bypass these controls.

Is your organisation ready to adapt to this new challenge?

Unwanted Emails

Organizations have been dealing with unwanted emails for over 20 years. They must find a balance between letting genuine business emails enter the organization and preventing unwanted emails from reaching inboxes. This is easier said than done when the methods used by adversaries are constantly evolving. 

Quishing (QR code phishing) is currently high on the agenda for many organizations as it represents a risk that can bypass existing security controls, therefore the protection relies on the recipient fully understanding the threat and not taking the bait.

How Phishing Works

Attackers attempt to steal login credentials or other useful information from employees by setting up fraudulent websites that mimic the ones they use for their daily activities. For cloud services, it’s relatively easy to convince an employee that they need to enter their organization’s credentials in order to access a website from a URL they have received.     

If an attacker can entice an employee to visit a fraudulent website and enter their credentials, then the attacker can immediately use those credentials to gain access to the organization’s IT resources.

This process can even be automated, so that within seconds of the credential being given, the account has been taken over, the password has been changed, and often 2FA has been enabled on the account to lock out the original user.

Clicking on malicious URLs is still one of the top risks for account takeovers. According to data from Fortra’s PhishLabs in Q2 2023, more than three-quarters of credential theft email attacks contained a link pointing victims to malicious websites.  

What is Quishing? 

Quishing is merely an extension of these phishing attacks. Instead of a hyperlink to a fraudulent or malicious website, the attacker uses a QR code to deliver the URL. Since most email security systems are not reading the contents of the QR codes, it is difficult to prevent the ingress of these messages, hence the rise in the prevalence of this type of attack. 

How to Prevent Quishing Attacks

As with most IT challenges, there is no single answer. A holistic approach that covers people, process and technology will give organizations the best chance of mitigating these types of attacks.

Train Employees

As a high priority, employees should be trained to recognise malicious emails. Training should be ongoing and presented in bite-size modules that are easy to digest and learn from. This should be supplemented with testing/simulation to allow users to see what they have (or have not) learned, and how they can improve. Gamification of challenges and results can be used to engage and improve trainee performance.

It's important there’s a “no-blame” culture – if an employee receives a link (either real or simulated) and they click on it by accident and subsequently realise their mistake, they should feel empowered to notify and give security teams an opportunity to mitigate the risk without fear of repercussions. In a culture of blame, employees will attempt to conceal mistakes and this potentially leads to far greater consequences for the organization.

Reporting Process

Employees should have a clear process for reporting any suspicious emails they receive. These emails need to be evaluated by security experts, and if a risk is identified, it needs to be mitigated quickly. 

Many organizations will encourage employees to report these emails but lack the resources or skills to investigate them effectively. If possible, subscribe to a service that specialises in suspicious email analysis and give employees an easy mechanism to report emails to this service. The service will then expedite emails to the security operations teams for remediation (for example, it might be necessary to retract known emails from all user inboxes). 

In addition, it’s important that the employee is also notified of the result of the analysis (positive or negative) and thanked for making the report. Engaging employees this way will make them more inclined to pay attention to what they are clicking on and report future suspicious emails.

Technology Prevention 

Email security systems should scan for known malicious URLs in incoming emails. Ideally the systems will combine a number of intelligence sources to automatically detect URLs that are known to be “bad” or present a suspicious pattern (for example, uses an IP address instead of a hostname). Once an unwanted URL is detected, the delivery of the email is either completely prevented, or the URL is removed from the email or attachment, effectively “disarming” it before delivery. In light of the quishing risk, this scanning should be extended to URLs which are encoded in QR codes.

Digital Risk Protection (DRP)

Another service to consider is a Digital Risk Protection (DRP). DRP monitors the Internet for websites used in credential theft phishing and takes them offline. This is a proactive service that reduces risk and prevents phishing attacks before they can happen. 

Close the Vulnerability Gaps

Malicious URLs have been a concern for several years, but the combination of the rise in credential theft phishing attacks, and the ease of creating and using QR codes with embedded malicious URLs, means that this attack vector is returning to the top of organizations’ agenda. However, with the right combination of training, processes, technology and services, organizations can reduce and manage this risk.

Conclusion

The threat of QR code phishing, known as Quishing, poses a significant challenge to organizations' cybersecurity. Adversaries are evolving their tactics, making it vital for organizations to adapt.

Preventing Quishing attacks requires a multifaceted approach, including employee training, reporting processes, and advanced email security systems. Combining these strategies, organizations can effectively mitigate the risks associated with this evolving threat.

Steve Jeffery is lead solutions engineer at cybersecurity software and services provider Fortra

Image: Pixabay

You Might Also Read: 

What Is The Difference Between Phishing, Smishing & Vishing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Domain Phishing: Antidotes In Today’s Market
The Expensive Costs Of HIPAA Noncompliance & How To Avoid Them »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

AON

AON

Aon is a leading global provider of risk management (including cyber), insurance and reinsurance brokerage, human resources solutions and outsourcing services.

ShmooCon

ShmooCon

ShmooCon is an annual east coast hacker convention offering three days of demonstrations and discussions of critical infosec issues.

Exonar

Exonar

We enable organisations to better organise their information, removing risk and making it more productive and secure.

Cygilant

Cygilant

Cygilant is a SOC2 certified service provider that combines MSSP and Incident Detection and Response (IDR) capabilities managed by global SOCs staffed with trained security engineers.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

ngCERT

ngCERT

ngCERT is the National Computer Emergency Response Team for Nigeria.

Sanderson Recruitment

Sanderson Recruitment

Sanderson is a recruitment company providing expert recruitment services in areas including Cyber & Information Security.

Alpine Security

Alpine Security

Alpine Security provides penetration testing, security assessments and cybersecurity training services.

Salt Cybersecurity

Salt Cybersecurity

Salt Cybersecurity offer a four-pronged approach to information security that includes Custom Security Policy, Vulnerability Assessment, Threat Detection, and Security Awareness Training.

Microchip Technology

Microchip Technology

Microchip Technology Inc. is a leading provider of smart, connected and secure embedded control solutions.

Kontron

Kontron

Kontron offers a combined portfolio of secure hardware, middleware and services for Internet of Things (IoT) and Industry 4.0 applications.

Virtual Infosec Africa (VIA)

Virtual Infosec Africa (VIA)

Virtual InfoSec Africa (VIA) is a wholly-owned Ghanaian company specializing in information security and cybersecurity solutions and services.

Applied Insight

Applied Insight

Applied Insight work closely with government agencies and industry to overcome technical and cultural hurdles to innovation, empowering them with the latest cloud, data and cyber capabilities.

Cyex

Cyex

Cyex helps people to become cyber wise. We enable our clients to find, track and improve cyber awareness in one place.

Aztek

Aztek

Aztek is one of the UK’s leading Managed Service Providers, providing customer-focused IT, Communication and Cyber Security solutions to help transform and grow your business.

Dream

Dream

Dream is developing an AI platform that enables cyber resilience and protects nations from hostile nation-states cyber attacks.