What is Quishing?

The word “quishing” is a combination of the term “phishing” and the abbreviation “QR” and describes phishing attacks via a QR code.

Side note: What is a QR code? QR stands for “Quick Response”. It is a two-dimensional code that displays information in a highly abbreviated form and can be accessed by scanning the QR code. The codes can be read with the camera of a smartphone. The barcodes in supermarkets also work in a similar way. However, the QR code can process more information. Thus, the user can be directed to homepages, images, videos, text files, etc.

How to use a QR code?

How do cybercriminals operate?

The criminals’ motivation in quishing is no different from other phishing methods. Here, too, the focus is on tempting users to take quick, rash actions. In this way, the attackers want to obtain confidential and personal information and/or install malware on the target’s systems. As with conventional phishing, triggers are used: Urgency is created, the user is called upon to be cautious, or curiosity is sparked by the offer of exclusive knowledge or special offers.

For example, you can receive emails with QR codes about new offers, certain service add-ons, or bargains that are only for you and only for a short time.

Or you receive a message asking you to update your access data. With the QR code, you are quickly and easily redirected to the corresponding website of the supposed provider. You can also be prompted to download documents or certain files.

If victims fall for the quishing attempt and follow the prompt to scan the QR code, they may immediately download malware or enter sensitive data on a fake website, which thus also falls into the hands of the cybercriminals. The attackers can use the information for their criminal purposes, for example, by gaining access to computers, networks and systems, or by sending malware to captured contact files.

What data is in focus?

Personal information, customer data, user data, access data and also payment data are particularly interesting for attackers. As already pointed out, criminal hackers use QR codes to direct users to fraudulent websites. If the user name and password are entered there, they are also known to the cybercriminals. If the victims additionally enter payment information, this information also falls into the hands of the cybercriminals.

Where can you be confronted with quishing in everyday life?

Basically everywhere. The use and acceptance of QR codes is increasing significantly. Because they can be used easily, quickly and contactless, more and more companies are opting to use QR codes. The method is also becoming steadily more popular on the user side. More and more people know how to use them and scan the codes to retrieve offers, contact data, journey planning information, current notices, timetables or the like. Criminal hackers are taking advantage of this. Even if conventional phishing e-mails or smishing (phishing via SMS) are still more widespread at present, quishing is a growing threat.

The BSI (German Federal Office for Information Security) is currently warning against this type of attack because, for one thing, the URL behind QR codes is difficult for employees to recognize. For another, spam filters already recognize a large number of phishing emails today, but QR codes still pose challenges for the filters. IT security solutions scan attachments and URLs to filter out phishing emails. However, a QR code is often perceived as a harmless image file and thus overcomes the protective measures.

Practical example:

Currently, “quishing” is taking place in the name of Microsoft – specifically the cloud service Microsoft 365. In a first step, user data is accessed. In the second step, the affected users are then redirected to a fake, but very real-looking login page for Microsoft 365. Access data is then intercepted here and used for further cyber attacks.

How can you protect yourself from quishing?

  • Do not scan QR codes that appear in emails from unknown or untrusted senders.
  • Use a QR scanner that shows you which page you will be redirected to. Nowadays, a QR scanner is built into the cameras of all popular smartphones. It will show you which URL you will be redirected to. Click only on the pages you trust.
  • Be suspicious if a known contact suddenly sends you a QR code in an email without explanation when this was never the case before. Picking up the phone and making a quick call will help clarify.
  • If you are unsure, you can also open the relevant website separately in the browser and follow the prompts there instead of scanning the QR code. This way, you check the authenticity of the message and are definitely on the safe side.

 Our tip:

Smartphones are part of everyday working life for many people. Whether you have a company smartphone or use your private smartphone for work – the security standards for mobile devices must be defined and made accessible to all employees. It must be clearly regulated for which purposes the smartphone may be used. In addition, the smartphone must comply with current security standards. Important security updates must always be carried out promptly and 2-factor or multi-factor authentication should be used if this is sensible and possible.