The digital age is well upon us, and we have the ability to possess an incredible amount of convenience at our fingertips. However, this is a double-edged sword. Technological advancements also open up new avenues for cybercriminals to exploit. One such cyberthreat is termed quishing, a clever blend of quick response (QR) code and phishing. When quishing occurs, unsuspecting individuals are lured into scanning malicious QR codes that link to fraudulent websites or malware downloads.1 Awareness surrounding this new threat must be raised to protect personal data and digital safety.
Quishing is the malicious manipulation of QR code technology, a highly convenient tool in the digital world. Originally invented in 1994 by the company Denso Wave, the QR code was designed to track parts as they moved through the automobile assembly process.2 QR codes have since become a ubiquitous presence used in everything from advertising and marketing to contactless menus and forms. They proved particularly valuable during the COVID-19 pandemic, helping enterprises reduce physical contact and transition to a digital interface.
However, cybercriminals have identified and exploited a flaw in the public’s trust in these harmless-looking black and white squares. In a typical quishing attack, a legitimate QR code is replaced by a malicious one. When an unsuspecting individual scans this code, they are redirected to a phishing site or forced to inadvertently download malware onto their device, leading to potential data breaches and financial losses.
Cybercriminals have identified and exploited a flaw in the public’s trust in these harmless-looking black and white squares.
QR codes can contain large amounts of data. This data, when scanned, directs users to a website, initiates a phone call, or downloads an application, among other possible functions. Quishing exploits this functionality by replacing the intended data with malicious data. For example, a user might scan a code expecting to access a restaurant's digital menu, but instead be redirected to a webpage impersonating a familiar social media site or banking portal. Here, they are prompted to enter their login details, which are captured and abused by the attacker.
The COVID-19 pandemic brought an unexpected boost to QR code usage worldwide. To create contactless environments, organizations turned to QR codes for various functions, inadvertently increasing the attack surface for quishing. Reports show a worrying increase in quishing attacks since the pandemic's onset.3 As QR codes become more ingrained in daily life, quishing poses a growing threat that requires immediate attention.
Although QR codes are not inherently harmful, the facility with which criminals can fabricate counterfeit codes to trick users is worrisome. In fact, the US Federal Bureau of Investigation (FBI) recently raised an alarm that cybercriminals are exploiting both physical and digital QR codes.4 They manipulate these pixelated barcodes to reroute victims to harmful websites designed to pilfer personal data and introduce malware to devices. Their motive is to gain unauthorized access to the victim's device and misdirect payments for illegitimate use.
A case in point is a recent event that took place in Austin, Texas (USA), wherein parking enforcement officers from Austin Transportation discovered malevolent QR codes on parking meters.5 Motorists expecting to be directed to the city's authorized website or app were instead led to a counterfeit site that illicitly gathered their parking fee and credit card details. The FBI cautions that law enforcement cannot assure the retrieval of misplaced funds post-transaction.6
In another incident in December 2021, it was reported that 2 German banks had been used for quishing.7 Hackers posing as the banks claimed that new security measures were being implemented, which required users to scan the QR codes to examine their bank accounts. However, the QR codes were actually linked to phishing websites requesting bank account information.
In terms of technological safeguards, some smartphones have security settings that prevent automatic redirection after scanning a QR code. Additionally, using a reliable security solution on devices can provide an extra layer of protection against malware downloads. Furthermore, enterprises must also be vigilant in protecting their QR codes from tampering to maintain customer trust.
The best defense against quishing is awareness. Users must be educated about the risk associated with scanning QR codes, especially those from untrusted sources. It is also crucial to scrutinize where the QR code is directing to before taking any prompted actions.
Conclusion
Innovation and digital convenience often come with cyberrisk, and QR codes are no exception. As we embrace these technologies, we must also be aware of dark corners such as quishing. Public awareness, rigorous security measures and proactive cyberhygiene are crucial to preventing these threats. As we move forward in this digital age, let us not forget that our safety rests not only in the hands of cybersecurity experts, but also in our own. Remember, vigilance is key when it comes to cybersecurity. Always be aware of what you are scanning and the information you provide after scanning a QR code.
Endnotes
1 Crandall, R.; “QR Codes: A Growing Vulnerability to Cybercrimes,” 9 March 2023
2 Garcia, P.; “QR Code: The Comeback Kid,” Code, 2 July 2021
3 Goettl, C.; “The Global Pandemic Has Led to Unprecedent QR Code Security Challenges,” Ivanti, 20 April 2021
4 Alvarez Technology Group, “FBI Warns of Rising QR Code Attacks,” 2022
5 Ibid.
6 Ibid.
7 Hong Kong Computer Emergency Response Team Coordination Centre, “Introduction of QR Code Attacks and Countermeasures,” 20 January 2022
Chris McGowan
Is principal of information security professional practices on the ISACA® Content Development and Services team. In this role, he leads information security thought leadership initiatives relevant to ISACA’s constituents. McGowan is a highly accomplished US Navy veteran with nearly 23 years of experience spanning multidisciplinary security and cyberoperations.