Quishing is essentially a form phishing attack that cleverly uses QR codes to trick users into visiting malicious websites. When a user scans a malicious QR code, their browser goes to the website indicated by the QR code.
Quishing attacks work like traditional phishing attacks. Often, a phishing attack will involve an email or text message containing a malicious link. When the recipient clicks on a link, they are directed to a phishing site that attempts to steal sensitive information — such as login credentials — or install malware on their computer.
Quishing attacks differ from traditional phishing attacks in how the link is formatted in an email. Instead of a text-based link, the malicious website is pointed to by a QR code. When a user scans the QR code, their device can extract the indicated link and take the user to that URL.
While quishing uses many of the same techniques as a traditional phishing attack, the use of QR codes makes it far more difficult to detect and block. Instead of a link embedded in a message — which can be detected by scanning the text of the email — a quishing attack uses an image that can be decoded to a URL. Identifying QR codes in emails and extracting the URLs is much more difficult than simply reading a link from the message text.
QR codes are designed to be an easy and space-efficient way to direct users to a website. Instead of typing in a URL, a user can scan the QR code with the camera on their mobile device. A QR code-compatible app can decode the image to a URL that can then be opened in a user’s browser.
Visiting a malicious website via a QR code has the same possible impacts on a user and their device as if they had visited it by other means, such as clicking on a link in a phishing email. The phishing site could be designed to trick the user into entering their login credentials or into installing malware on their device.
Quishing poses a unique security challenge for organizations because it involves multiple devices. If a user receives an email with a QR code on one device, they will likely scan that code with another device to open the indicated webpage. This creates significant security challenges for an organization because users receiving quishing emails sent to their work email address may scan the malicious QR code using personal devices. These devices may not be subject to the organization’s cybersecurity policies and lack the same level of anti-phishing defenses, making it difficult to prevent, detect, and track potential compromises.
Companies also face the opposite risk when dealing with quishing attacks. A quishing email sent to a personal email will not be blocked by corporate anti-phishing defenses. If a user scans that email with a business device, the corporate device could be infected by malware if the threat is not detected and blocked by company security solutions.
Some methods for detecting these attacks include:
Organizations and individuals can use various methods to protect against quishing attacks, including:
Check Point Harmony Email and Collaboration offers strong anti-phishing protection, including quishing attacks. It was named a Leader in the 2023 Forrester Wave for Enterprise Email Security. For more information on how Harmony Email and Collaboration can help protect your organization against the latest phishing threats, sign up for a free demo today.