QR codes have revolutionized our digital interactions by allowing us to make a simple payment, see the menu in a restaurant, or download an app at a music festival with just a quick scan on our phone.
However, amidst their convenience lies a hidden security risk that many overlook. QR code phishing, or Quishing, is gaining popularity among fraudsters when stealing user accounts and payment information.
QR codes are often used by services to make the sign-in process and sharing of information easier and more user-friendly. A common example can be signing into your account from a new device, where instead of typing the username and password, you can simply scan the presented QR code from the app and seamlessly log in.
While this makes the process simple, it can be easily abused. The most common fraud targets are Google and Microsoft accounts, however, attackers are also trying to impersonate subscription and parcel delivery services.
Fraudsters send out well-crafted emails impersonating the service usually along the lines that there was “an issue with your payment” or “a suspicious login was detected”, prompting the user to solve the fictional issue by scanning the QR in order to log in and resolve it. Scanning the code, however, leads to a fraudulent website that will steal user’s credentials.
Quishing campaigns have been spotted targeting both end-users and enterprises worldwide. This technique is highly beneficial for the attackers for multiple reasons:
The recent trend shows that almost 25% of phishing attacks now abuse QR codes. Usual attack themes can be:
Having Protective DNS, such as the one provided by Whalebone, can safeguard users against the links embedded in the QR code, as the security solution checks the link destination in the background even on people's phones, preventing access to the fraudulent site.