Around the world, organizations are leveraging QR codes to simplify the way in which they conduct business. Whether that means offering QR code-based rebates, coupons or document access, QR codes are synonymous with everyday efficiency.

However, widespread QR code adoption has expanded opportunities for cyber criminals, who have developed means of manipulating QR codes and who are leveraging the codes as a new attack vector. Experts are calling this “quishing,” — a portmanteau of the words “QR codes” and “phishing”.

Across a three-year time horizon, from 2021 to 2024, cybersecurity researchers observed a 900% increase in QR code-based phishing attacks, substantially outpacing the growth of other cyber threats.

An Overview of the Landscape:

These days, more than 10% of phishing emails involve a QR code. For cyber criminals, an advantage of QR codes is that they can bypass legacy security solutions. These solutions may be able to detect malicious URLs, but often lack the capacity to analyze the content that’s embedded within black and white digital code.

Another reason as to why cyber criminals have pursued QR code-based phishing pertains to how victims cannot effectively confirm a link’s validity until the link is already open. In turn, cyber criminals can force malware downloads or gently lure people into credential harvesting traps.

Common QR Code Phishing Tactics:

  • Strategic Obfuscation: In this tactic, attackers leverage QR codes to conceal malicious links. A common scenario involves sending an email that appears to originate with a legitimate service provider, such as a bank, but that includes a malicious QR code.

  • Physical and Digital Substitution: This approach involves replacing legitimate QR codes with fraudulent ones. Attackers might place counterfeit QR code stickers on parking payment stations, retail displays or public charging stations.

    When scanned, the codes direct to sites that launch malicious downloads or that capture sensitive information.

  • Social Engineering with Delivery: In this scheme, cybercriminals send unexpected packages to potential victims, complete with QR codes embedded in the packaging or the enclosed materials.

    The codes lead to malicious sites that harvest credentials or personal information under the auspices of confirming delivery details.

Preventing QR Code Phishing:

The dramatic rise in quishing underscores the need for enhanced security measures.

  • Train staff to verify the legitimacy of email-based QR codes through official channels
  • Alternatively, implement policies that ban the scanning of QR codes from unknown or unanticipated sources
  • Conduct regular security simulations that include QR-based attack scenarios
  • Avoid implementing QR code-based transactions and use standard interaction methods instead

Beyond these basics, organizations should lean on technological solutions that can identify and neutralize quishing attempts.

The Check Point Harmony Email & Collaboration (HEC) Advantage:

Recognized as a Leader in the Gartner Magic Quadrant for Email Security, HEC offers critical capabilities including QR code threat neutralization, which automatically identifies and disables malicious QR codes before delivery, and precision detection, which achieves nearly perfect threat identification rates.

With Check Point Harmony Email and Collaboration, your organization can establish a multi-layered prevention and defense strategy that not only protects your organization against existing QR code-based attacks, but that can also stop evolving threats.

Ready to strengthen your organization's cybersecurity? Request a demonstration of Harmony Email and Collaboration today. Click here to get a demo.