September 21, 2023
Tips and tricks

A new kind of phishing... Quishing?

Scammers have found a new tool in the ever-evolving battle to scam companies and steal credentials.  We all know by now that the most successful way for bad actors to get access to company resources and develop schemes to steal money is through phishing.  As the scammers get better at creating more authentic looking phishing schemes, the industry continues to fight back with things like multifactor authentication, blocking unknown sites, and better artificial intelligence in the spam filters.  But, the scammers have recognized that spam filters currently focus on the words and links in the emails to identify phishing attempts.  The easy way to get around this is to use images instead of text, so they have weaponized QR codes because the QR codes are images that can be used to redirect you to malicious phishing websites.  In addition to hiding their malicious links in an image, the scammers know that you will probably scan the QR code using your personal cell phone that doesn’t have the same protections as your work computer.  The end result is typically to send you to a fraudulent website and ask for your password.

Here is an example of what a fraudulent QR code phishing (Quishing) message may look like.  These scams could state that your password has expired, you need to install a new tool, view a document that was sent to you, validate your credentials, or perform any number of requests to get you to visit a malicious site and enter in your password.

If you ever see one of these Quishing messages in your inbox, don’t scan the code until you have verified its authenticity.  And if it is a scam, report it in order to prevent others from being tricked by the same messages, QR codes, and underlying links.  Here are some pointers to keep in mind when reviewing messages.

  • Never scan a QR code from an unfamiliar source. We won’t ever send them for anything other than setting up multifactor authenticators like DUO.  And in those cases, you’ll know to expect it.
  • If you receive a QR code from a trusted source via email, confirm via a separate medium – e.g., text message, voice call, etc. – that the message is legitimate.
  • Stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to your emotions – e.g., sympathy, fear, etc.
  • When possible, preview of the QR code's URL before opening it to see if it appears legitimate. Make sure the website, doesn't have obvious misspellings and has a trusted domain. Don't click on unfamiliar or shortened links.
  • Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.

 

You can learn more about Quishing here:

https://arstechnica.com/security/2023/06/torrent-of-image-based-phishing-emails-are-harder-to-detect-and-more-convincing/

https://www.techtarget.com/searchsecurity/feature/Quishing-on-the-rise-How-to-prevent-QR-code-phishing