Quishing – Phishing just got an upgrade

QR codes are very popular and used for many things, but cybercriminals use them to steal personal and financial information. As quishing attacks increase, it’s important to know how to stay safe.

 

Nowadays, most people know it's important to avoid clicking links from unknown numbers or emails. We’ve learned to be careful with sharing personal or financial info, and we’re familiar with phishing and smishing. However, as cybersecurity improves, cybercriminals find new ways to trick us. One growing threat is quishing, which uses QR codes to scam people.

 

What is a QR code?

If you have a smartphone, you’ve probably seen a QR code. These black-and-white grids store information, like links to websites, and are used everywhere - on restaurants’ menus, tickets, ads, and more. QR codes became even more popular during COVID-19, helping with vaccination records, contactless payments, and customer info collection. Sadly, cybercriminals now use QR codes to steal personal data through scams called quishing, often by adding them to emails.

 

What is quishing?

"Quishing" combines "QR code" and "phishing." Like phishing, it uses fake emails to trick people, but instead of links, it includes QR codes. Scanning these codes leads to fake websites where victims enter personal or financial details, or it downloads malware onto their device. Quishing emails often seem to come from trusted companies, like delivery services or retailers. Since QR codes are just images, they’re harder for email security systems to detect, making these scams more effective.

 

Why should I care about Quishing?

Quishing scams have increased recently. Hackers use QR codes to target mobile devices, which often have weaker phishing protection than computers. Since QR codes became common during COVID-19, it’s harder for people to recognise real codes from fake ones. Hackers make their scams look like real emails, often pretending to be from company departments, like HR, to trick employees into sharing sensitive information.

A recent attack targeted a large agricultural company with over 16,000 employees. Scammers sent emails posing as the HR department, claiming to share payroll information. These emails included a QR code leading to a fake SharePoint login page designed to steal employees’ credentials.

In another scam, over 1,000 fake emails targeted a U.S. energy company, asking users to scan QR codes to "secure their account." The codes led to fake Microsoft login pages to steal credentials, using urgent language like "you must act within 72 hours" to pressure victims.

Because QR codes are harder to detect with automated security systems, awareness is often the first line of defence. A single employee falling for a scam can result in significant financial and reputational damage to a company.

 

How can I protect myself from Quishing?

  • Be aware: always assess emails critically, especially those containing QR codes.
  • It’s all in the details: look closely at the sender’s email address. While scammers may impersonate legitimate organizations, their email addresses often contain random characters or unusual domains.
  • Grammar: official communications are usually well-written. Watch for spelling mistakes, odd punctuation, or unpolished language.
  • A sense of urgency: Scammers often create a sense of urgency to make victims act without thinking. If in doubt, contact the company directly to verify the message.
  • Be cautious of the information you provide: if an email or QR code asks for excessive personal information, treat it as suspicious.
  • Keep your device up to date: keeping devices up to date ensures that you benefit from the latest security features, reducing the risk of falling victim to malicious attacks.