QR Code-Based Phishing Attacks are on the Rise

image provided by pixabay

This post is also available in: עברית (Hebrew)

QR code-based phishing attacks (also called “quishing”) are rising, with threat actors using malicious QR codes to steal valuable data and money. Furthermore, experts state it is currently still difficult to detect and mitigate the threats spread by this method.

These QR code phishing attacks are not so different than standard ones- a victim gets an email from a supposedly trustworthy sender (often imitating real companies) encouraging them to scan an embedded QR code. There are cases when the attackers don’t even need to mimic a legitimate company, but rather they may already have compromised an organization’s email account and are sending messages from its domain.

According to Cybernews, there has been a significant surge in these QR-code-based attacks. A customer incidents analysis by ReliaQuest revealed a 51% surge in QR code attacks since the previous year. The firm suggests the rise in scams may be linked to the growing number of smartphones equipped with built-in QR code scanners, and users often scanning codes without considering their legitimacy.

The most popular “quishing” scenario this year was a case in which targets were sent emails that were made to seem like legitimate Microsoft security notifications. Inside the email there was either a PNG or PDF file asking the receiver to scan a QR code, which if scanned would redirect them to a phishing page designed to steal their credentials.

Another popular instance was online banking pages used to trick victims- QR codes redirected visitors to fake websites where they were asked to enter their personal banking credentials, which were then stolen.

Threat actors are also getting creative, avoiding email filters by sending messages with a harmless or empty body and hiding the QR code in a PDF or JPEG file attached to the email, since the filters mainly focus on clickable elements.

In conclusion, despite still being a relatively new method, QR code phishing is expected to become increasingly more complex and widespread, due to it being a difficult threat to detect.