Rob Batters, Director or Managed and Technical Services, Northdoor plc
Quishing involves the embedding or attaching of QR codes into phishing emails which take victims to malicious websites
A recent report by security firm Egress has highlighted the increasing role that quishing is playing in phishing attacks. With the popularity of QR codes rising all the time, cybercriminals have identified them as an ‘easy’ route into an organisation’s data and infrastructure.
Like most phishing attacks it plays on the trusting nature of an employee, tricking them into using the QR code that looks like it will take them to a legitimate page. However, it instead pushes the victim towards a malicious site that can result in cybercriminals gaining direct access into a company’s systems.
Whilst the increasing use of QR codes has driven cybercriminals to this new tactic, it has also been the successful countering of malicious hyperlinks with intelligent cloud-based solutions that has meant that they have had to find new ways of finding holes in company defences. As we know, cybercriminals tend to be at least one step ahead of the sectors’ attempts to keep them out and QR codes offer a real opportunity for bad players to go round new, effective defences.
Increase and nature of quishing attacks
Egress identified that from 1st January – 31st August 2024, 12 percent of all phishing attacks contained a QR code. This is likely to increase substantially in 2025 as a result of an expected surge in QR code usage this year and so companies have to become more aware of what such threats look like and how their employees can better manage the incoming phishing attacks.
The report highlights what a typical attack looks like:
Step 1 The victim receives a phishing attack containing a QR code, often accompanied by social engineering techniques designed to compel them to read it. Cybercriminals typically emphasise elements such as urgency, authority, or emotional appeals within the email to increase the likelihood that the recipient will engage with the malicious payload.
Step 2 The victim uses their smartphone camera to read the QR code, which prompts them to open their browser and directs them to a malicious website.
Step 3 Depending on the nature of the website, the victim could be asked to enter log-in credentials or financial details, or malware may be downloaded onto their device. If the attacker successfully gains access to a user’s credentials, they can use these to launch further attacks within an organisation or move laterally across networks.
Essentially, quishing works the same as a ‘normal’ phishing attack, however, by utilising a trusted source such as a QR code cybercriminals are increasing their chances of success. Quishing, as a tactic, is relatively new, but as companies and solutions begin to catch up cybercriminals are already adapting their approaches. Some are putting the malicious QR code on a coloured background to try and make it harder for software to identify the code’s anchors and highlight it as malicious.
Others are embedding the code within emails as attachments. Once the attachment is open it can be opened as any other QR code but it can trick some software into allowing it through. The most sophisticated approaches involves embedding QR codes within macro-enabled Excel files. When opened these files execute macros that assemble a malicious URL from separate cells and generate a QR code from it. As most solutions struggle to analyse a fragmented URL components it increases the chances of the code getting through. The positive for employees is that such efforts to get past the software means that the code itself looks more suspicious and easier to identify as a cyberattack.
Employee education and third-party support
The key for countering quishing attacks is the same as phishing attacks. If employees can identify what a malicious email looks like then they are unlikely to click any link, open an attachment or use a QR code. Keeping employees up to date with what the latest threats look like and how to deal with them means that cybercriminals have to find new routes to gain access to data and systems.
The efforts of cybercriminals to find a soft underbelly of a company’s security will of course continue and likely become more sophisticated and complex. This means that the job for internal IT and security teams becomes more onerous and time-consuming. At a time when manpower and budgets are stretched this becomes, on the face of it an almost impossible task.
Many are turning to third-party consultancies to help shoulder some of the pressure. These consultancies can also provide the expertise that in-house struggle with. By keeping an eye on systems as well as informing teams about the latest threats, consultancies are, in many cases, in a better position to keep cybercriminals out.
