QR phishing, or quishing, is a type of phishing attack where an attacker tries to trick a victim into interacting with a QR code image. The QR code usually redirects users to a page where they are prompted to enter login credentials. Unfortunately, these pages are malicious copies, and attempting to log in gives attackers access to credentials, compromising the user’s account.
Learn how QR code attacks work, why they’re increasingly common, what they lead to, and how to stop them.
How a Malicious QR Code Phishing Attack Works
Consider this real QR code attack that Abnormal detected. At first glance, the email appears trustworthy – it’s a friendly reminder from Microsoft that your MFA password is set to expire, so you need to update it:
All you have to do is scan the QR code with your phone. Once you do, you’re redirected to a Microsoft-branded login page where you can enter your credentials to update your password. Easy, right?
Unfortunately, the page is a malicious spoof, and your credentials go straight to an attacker. At this point, your account is compromised.
This playbook is relatively simple to replicate, and it follows the classic phishing attack playbook:
The email appears to come from Microsoft, a trusted source.
The email contains manufactured urgency with the password set to expire that day.
The email funnels the user into sharing their credentials.
3 Reasons QR Code Phishing Attacks Are Growing in Popularity
QR phishing attacks are increasingly common for a few reasons:
Legacy email security solutions struggle to detect it. At first glance, a QR code appears to be a benign image without a malicious URL or suspicious text. We found that 17% of all attacks that get through built-in spam filters (from Google or Microsoft, for example) used QR codes.
People are using QR codes more and more in their daily lives. Restaurant menus, ads, concert tickets, boarding passes, and payment transactions may involve a QR code. This familiarity and frequency means users are less likely to suspect something is off when they see a QR code in an email.
A QR code moves the attack away from a secure email to a user’s phone, which doesn’t have the same lateral protection and posture management as a cloud-based business environment.
Attackers constantly workshop new methods to evade users’ common sense and organizational security measures. QR code attacks are the latest in a long line of malicious innovations.
What Attack Types Are Executed With a Malicious QR Code?
The QR code attacks that Abnormal uncovers are primarily phishing attempts. These emails use urgency and impersonation to trick a user into interacting with a QR code that redirects to a website that looks like a legitimate login page.
But there are various malicious uses for QR codes besides a classic phishing attack, including:
Any of these approaches, when successful, can compromise login credentials, financial information, sensitive data, and more.
How We Detect QR Code Phishing Attacks
Abnormal detects QR code attacks with a two-pronged behavioral AI approach:
We use natural language processing and understanding to identify unusual or unknown email senders, urgent language, and impersonated email addresses – all hallmarks of QR phishing attacks.
Our AI-native detection engine decodes the QR code to extract and display the URL, using URL detection capabilities to identify if it’s malicious.
Detects unusual behavioral signals commonly associated with QR code attacks by understanding normal business relationships and communication patterns.
How to Prevent QR Code Attacks
On an individual level, the simplest way to avoid a quishing attack is by ignoring any QR code from an unknown source. But that’s easier said than done, particularly at a large enterprise.
Here’s what organizations can do to reduce the odds of a QR phishing attack:
Use an email security solution that can parse a QR code in the body of an email to detect malicious URLs.
Don’t rely on QR codes for MFA or other legitimate uses, as employees will begin to trust emails with QR codes.
Conduct training and simulations that educate and test employees on unknown QR codes.