QR Code Phishing – Quishing
You’ve no doubt come across a restaurant whose physical menus were at least temporarily replaced with QR codes for customers to scan with their phones. Though they were developed for tracking automotive parts moving through an assembly line, QR codes have seen more widespread use in recent years. The Covid pandemic in 2020 saw accelerated adoption as businesses tried to adapt to medical advisories to not touch public surfaces. While QR codes themselves are not dangerous, the sites they direct people to can potentially be a risk.
A traditional barcode can only store a limited amount of alphanumeric information, such as an identification number, that must be scanned linearly by a laser. A QR code on the other hand is meant to be scanned visually by a camera and can be read at any angle. Instead of a small set of letters and numbers, a QR code can contain more complex information, such as URLs, contact information, geolocation, payment information, calendar events, and app downloads. This makes QR codes very useful to both businesses and customers but also introduces more challenges for information security.
Quishing, or QR phishing, has become a real-world threat that can be difficult to spot easily. Differences in QR codes are not immediately distinguishable by the average person. This means that a malicious actor could potentially replace a publicly posted QR code with one of their own. They may also post a QR code for a service that does not truly exist but appears real. A person may think they are using their smartphone to pay to park in a public lot, but the site they are directed to by the QR code will send their payment information to the malicious actor. A recent story out of Denver illustrated this point, with fraudsters placing malicious QR code stickers on parking meters redirecting visitors to fake payment portals.
Malicious actors can also use QR codes in emails. This manner of attack has gained popularity in recent years, especially toward C-Suite employees. Many of these attacks direct the person scanning the QR code to a site where they are prompted to enter their account credentials for services such as Microsoft and DocuSign. The malicious QR code can be embedded in the email itself, or in an attached document. As the email may not contain any clickable links, it can potentially slip past email content filters that inspect URLs.
When prompted to use a QR code, there are steps you can take to stay safe. Treat any QR code the same as you would treat an unknown link in an email. Most camera and QR code scanning apps can now give a preview of the URL the code directs to before navigating to it, in much the same way as hovering over a URL in a traditional phish can give away the suspicious destination. Be skeptical if you are receiving a QR code that you were not expecting. When you see a QR code posted in a public setting, check for signs of tampering. Make certain you trust the source of the QR code before scanning, same as you would for other emails that request you to take any action.
Neovera SV (formerly 10-D Security) is an independent firm specializing in IT security and compliance for financial institutions. We help clients mitigate risk and comply with GLBA requirements, offering tailored services and expertise to strengthen cybersecurity programs.