304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

What is QR Code Phishing? (Quishing) – Attack & Prevention Guide in 2024

 Cyber Writes Team / Report

Source :

QR code Phishing, or “Quishing,” is a cyber threat that exploits the widespread use of QR (Quick Response) codes in phishing attacks. 

Quishing takes advantage of the recent high-use volume and increasing popularity of QR codes. These codes, which can be easily scanned using smartphones, are commonly seen as innocent and have become a widely used tool for businesses and organizations to exchange information, facilitate payments, or guide users to websites. Exploiting this trust and familiarity is a common tactic in certain activities.

Scammers can utilize QR codes through various channels, such as emails, text messages, social media, public places, or even by directly approaching individuals to scan them. 

The FBI has reported an increase in scammers instructing victims to utilize physical crypto ATMs and QR codes for payment transactions.

Fraudsters often manipulate victims into making payments and instruct them to withdraw funds from their financial accounts, including investment or retirement accounts.

The FBI cautions that a QR code linked to the scammer’s cryptocurrency wallet will be given to the victim for use in the transaction.

The fraudster will then guide the target to a physical cryptocurrency ATM where they can deposit their funds, buy cryptocurrency, and utilize the given QR code to fill in the recipient’s address automatically. 

How Quishing Works

Generating a Malicious QR Code

Cybercriminals create QR codes that, when scanned, direct users to deceptive websites or initiate the download of harmful software.

The QR codes can be distributed through different channels, including emails, social media, printed materials, or by placing stickers over legitimate QR codes in public areas.

The Scam Process

Once someone scans the QR code, they are directed to a deceptive website that may appear legitimate. On this site, they are prompted to provide sensitive information such as login credentials, personal data, or financial details.

Malware may be downloaded in response to certain quishing attempts that lead to compromising devices and networks.

The attackers leveraged compromised email accounts to exploit the victim organization’s legitimate Outlook infrastructure for sending the QR codes. The phishing pages found after QR code scans were hosted through an enterprise survey service and linked to IP addresses associated with Google or Amazon.

What sets these messages apart is that they include QR codes that allow users to access missed voicemails. This cleverly avoids the need to scan URLs for email attachments, which secure email gateways and native security controls typically block. 

Mostly, the QR code images were generated on the same day they were sent, which reduces the chances of them being flagged by a security blocklist due to prior reports. A total of six distinct profiles were utilized to transmit messages for the campaign, with the majority crafted to appear connected to the industry of interest.

Recent Quishing Aattck

In the latest phishing campaigns, cybercriminals have started utilizing QR codes as an alternative to buttons to redirect victims to fraudulent websites.

These emails lack clear-text URLs and instead use QR codes to obfuscate them, which poses a challenge for security software to detect.

QR codes have become more effective by targeting mobile users, who may have less protection from internet security tools.

Upon reaching the phishing site, individuals are prompted to provide their bank location, code, user name, and PIN.

After inputting these details on the phishing page, the user patiently awaits validation, only to be prompted to re-enter their credentials because they were deemed incorrect.

This repetition is frequently used in phishing campaigns to prevent typos when users enter their credentials for the first time.

It is important to exercise caution when dealing with emails, even if they appear genuine. Refrain from clicking on any buttons, URLs, or QR codes that redirect you to external websites.

Before entering your account credentials, it’s important to verify the domain you’re on to ensure its authenticity.

You may have encountered them in various settings, such as restaurants, parking lots, and marketing campaigns. In 2022, the Federal Bureau of Investigation highlighted the issue of cybercriminals manipulating QR codes to unlawfully obtain victims’ financial funds. 

In the past, QR Code phishing attacks were not very common. However, around mid-September 2023, Microsoft Security Research & Threat Intelligence noticed a notable rise in phishing attempts involving QR codes.

Recent incidents of quishing (QR code phishing) highlight the ever-changing strategies employed by cybercriminals and the growing importance of maintaining a high level of caution in digital security.