QUISHING – What you need to know
Quishing, or QR phishing, is a type of cybersecurity threat in which attackers create QR codes to redirect victims into visiting or downloading malicious content.
What is quishing?
Quishing, or QR phishing, is a cybersecurity threat where attackers exploit QR codes to direct victims to malicious websites or prompt them to download harmful content. The objective of this attack is to steal sensitive information, such as passwords, financial data, or personally identifiable information (PII), which can then be used for identity theft, financial fraud, or ransomware attacks.
This form of phishing often evades traditional defenses like secure email gateways. QR codes in emails are often seen as harmless images by these security systems, leaving users vulnerable to phishing attacks. Additionally, QR codes can be delivered to targets through various other means.
How does quishing work?
In a quishing attack, attackers generate a QR code that links to a malicious website. They typically embed this QR code in phishing emails, social media posts, printed flyers, or on physical objects, using social engineering tactics to lure victims. For instance, an email might prompt recipients to scan a QR code to access an encrypted voice message for a chance to win a cash prize.
When victims scan the QR code with their phones, they are redirected to the malicious site, which may ask them to enter private information such as login credentials, financial details, or personal data. In the example, the site might request the user’s name, email address, physical address, date of birth, or account login information.
Once attackers obtain this sensitive information, they can use it for various malicious activities, including identity theft, financial fraud, or ransomware attacks.
How can end-users prevent quishing?
Ensure you verify the URL linked to the QR code and avoid submitting personal information, making payments, or downloading anything from a site accessed via a QR code. By following these precautions, individuals can lower the risk of becoming victims of quishing attacks.
Train end users | Backup data | Be cautious |
Check the URL | Do not enter login details | Forward email to your security team |